Transcription
RSA SecurID Appliance 3.0Owner’s GuideRevision 4
Contact InformationGo to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.comTrademarksRSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/orother countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, goto www.rsa.com/legal/trademarks list.pdf.License agreementThis software and the associated documentation are proprietary and confidential to EMC, are furnished under license, andmay be used and copied only in accordance with the terms of such license and with the inclusion of the copyright noticebelow. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to anyother person.No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Anyunauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by EMC.Third-party licensesThis product may include software developed by parties other than RSA. The text of the license agreements applicable tothird-party software in this product may be viewed in the thirdpartylicenses.html file.Note on encryption technologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryptiontechnologies, and current use, import, and export regulations should be followed when using, importing or exporting thisproduct.DistributionUse, copying, and distribution of any EMC software described in this publication requires an applicable software license.EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THISPUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE.Copyright 2008-2010 EMC Corporation. All Rights Reserved. November 2008 Revised: July 2011
RSA SecurID Appliance 3.0 Owner’s GuideRevision HistoryRevisionDateNumberRevision1September 2009 Revised backup and restore procedures.Updated information about replica package expiration.Added procedure for changing Appliance replica IP address.Added information about obtaining current documentation fromRSA SecurCare Online. Added procedure for backing up and restoring a RADIUS server. Removed information about replacing installer-generated certificates.2March 2010 Added information about rebooting the Appliance from the OperationsConsole. Added chapter about installing and using the Microsoft ManagementConsole (MMC). Added procedure for Back Up Now. Added information about Schedule Backups.3November 2010 4June 2011Revision HistoryRevised Appliance replica promotion procedure.Revised Appliance replica reattachment process.Revised Appliance primary attachment process.Added troubleshooting information about resolving replica promotionproblems.Added procedure for importing logs from a demoted Appliance primary.Minor revisions and updates to Quick Setup procedure.Revised database restore procedure.Revised several inaccurate documentation passages.Added information about stopping and starting RSA AuthenticationManager services on the Appliance. Improved content related to configuring authentication methods for theRSA Security Console. Added an overview of port traffic with an illustrative graphic and a newports table. Added information about configuring the Appliance to send all log filedata to a single file. Added information on configuring Syslog for the Appliance.3
RSA SecurID Appliance 3.0 Owner’s GuideContentsRevision History . 3Preface.11About This Guide.11RSA SecurID Appliance Documentation .11Related Documentation. 12RSA Authentication Manager Documentation . 12RSA RADIUS Documentation . 13Links in the “Additional Tasks” and “Additional Concepts” Sections. 13Getting Support and Service . 13Before You Call Customer Support. 14Chapter 1: Understanding Your Deployment . 15Understanding the Deployment Process . 15RSA SecurID Authentication. 16Authenticating Users. 16RSA SecurID Tokens. 17RSA Authentication Agents. 17RSA Authentication Manager. 18Concepts to Understand . 18Agent. 18Deployment. 18Hardware Token . 19Instance . 19Realm . 20Replica . 20Security Domain . 20Software Token. 22Differences Between RSA SecurID Appliance and RSA Authentication Manager . 23Feature Differences. 23Deployment Differences . 23Chapter 2: Preparing for Deployment . 25How to Prepare for Deployment . 25Appliance License Types . 26RSA RADIUS Deployment . 27System Requirements. 27Hardware and Operating System Requirements . 28Supported Identity Sources. 28Supported Browsers. 29RSA Authentication Manager Port Usage . 30Access Through Firewalls . 32Contents5
RSA SecurID Appliance 3.0 Owner’s GuideRSA SecurID Appliance 3.0 Planning Checklist. 32Enabling JavaScript for Appliance Quick Setup. 33Conducting a Pilot Test. 34Additional Tasks . 35Next Steps . 35Chapter 3: Setting Up the Appliance Primary . 37How to Set Up the Appliance Primary. 37Unpacking the Appliance Package . 37Preparing for Quick Setup. 38Appliance License File Download. 38Performing Quick Setup on the Appliance Primary . 38Putting the Appliance in its Final Location . 41Attaching the Power Cord Retention Clip or Bracket . 41Additional Tasks . 43Next Steps . 43Chapter 4: Configuring and Using the RSA Authentication Manager Consoles . 45Configuring Your Browser to Support the RSA Authentication Manager Consoles . 45Accepting Security Certificates . 45Adding the RSA Authentication Manager Consoles to Internet Explorer Trusted Sites . 46Configuring Authentication Settings for the RSA Security Console . 46Logging On to the RSA Authentication Manager Consoles. 48Additional Concepts. 49Next Steps . 49Chapter 5: Managing Users and Tokens . 51Overview of Managing Users and Tokens. 51Adding New Users . 51Managing Tokens. 54Importing Hardware and Software Token Records . 55Assigning and Unassigning Hardware and Software Tokens. 57Distributing Hardware Tokens to Users . 58Distributing Software Tokens to Users. 58Delivering Tokencodes Using Text Message or E-mail . 59Additional Tasks . 61Next Steps . 62Chapter 6: Protecting Network Resources withRSA Authentication Agents . 63Overview of RSA SecurID Authentication. 63Installing RSA Authentication Agent Software on the Resource You Want to Protect . 646Contents
RSA SecurID Appliance 3.0 Owner’s GuideCreating an RSA Agent Record . 64Adding Authentication Agents to the Internal Database . 66Allowing Agents to Automatically Add Authentication Agent Records . 67Creating and Installing the RSA Authentication Manager Configuration File. 69Generating the RSA Authentication Manager Configuration File . 70Using Authentication Agents to Restrict User Access. 70Granting Access to Restricted Agents Using User Groups . 71Setting Restricted Access Times for User Groups. 72Additional Concepts and Tasks. 73Next Steps . 73Chapter 7: Setting Up an Appliance Replica . 75How to Set Up an Appliance Replica . 75Generating a Replica Package File . 76Performing Quick Setup on an Appliance Replica . 78Attaching the Appliance Replica to the Appliance Primary . 80Chapter 8: Performing Post-Setup Tasks. 83Backing Up the System. 83Configure Appliance System Network Settings . 83Maintaining Accurate System Time Settings. 85Synchronizing Clocks . 85Changing the Appliance IP Address . 86Update the Primary NIC IP Address on an Appliance Primary . 86Update the Appliance Primary IP Address on an Appliance Replica. 87Update the Primary NIC IP Address on an Appliance Replica . 88Configuring Secondary Network Interface Cards (NICs). 89Integrating the RSA RADIUS Server into the Existing Deployment . 90Configuring the RADIUS Server on the Appliance Primary . 90Configuring the RADIUS Server on the Appliance Replica . 91Editing the RADIUS Server Configuration Files . 92Using the RSA Security Console to Replicate Changes. 92Adding Clients to the RADIUS Server and Editing Clients . 92Testing RSA RADIUS Operation. 92Additional Concepts. 93Chapter 9: Integrating an LDAP Directory . 95LDAP Directory Integration . 95How to Integrate an LDAP Identity Source. 96Failover Directory Servers. 98Active Directory Considerations. 98Guidelines for Mapping Identity Attributes. 98Active Directory Forest Identity Sources . 99Active Directory Forest Considerations . 99Password Policy Considerations . 100Supporting Groups. 100Contents7
RSA SecurID Appliance 3.0 Owner’s GuideIntegrating an Active Directory Forests. 100Integrating an Active Directory Global Catalog. 101Setting Up SSL Between RSA Authentication Manager and LDAP. 101Adding an Identity Source . 102Linking an Identity Source to a Realm . 106Verifying the LDAP Identity Source . 107Additional Concepts. 107Chapter 10: Advanced Administration . 109Logging On to the Appliance for Troubleshooting and Advanced Administration. 109Enabling SSH on a Network Interface Card . 109Logging On to the Appliance.110Running Command Line Utilities on the Appliance .110Password Administration .111Operating System Password Account.111Super Admin Account .112Master Password .112Certificate and Keystore Management for SSL .114Internet Explorer 6 Considerations .114Internet Explorer 7 Considerations .114Importing LDAP Certificates.114Legacy Compatibility Keystore .114Viewing the Appliance Software and License Information.115Viewing the Appliance Software Version Information .115Viewing License Information .115Starting and Stopping RSA Authentication Manager 7.1 Services .116Starting or Stopping All RSA Authentication Manager Services.116Starting or Stopping Individual RSA Authentication Manager Services .116Additional Concepts. 121Chapter 11: Updating the Appliance. 123Update and Rollback Process. 123How to Apply an Update . 124Configuring an Appliance for Updates . 124Scanning for Updates . 125Applying an Update . 126Rolling Back an Update . 127Chapter 12: Appliance Logging and SNMP . 129Appliance Logging. 129Configuring Appliance Log Settings . 131Viewing Appliance and Operating System Logs . 133Appliance SNMP . 133Configuring Appliance SNMP. 134Downloading Files . 1358Contents
RSA SecurID Appliance 3.0 Owner’s GuideConfiguring Appliance Syslog. 135Configure Syslog for an Appliance Environment. 135Configuring Local Files . 137Configure the Appliance to Send Log Messages to a Local File. 137Set the Maximum Number of Local Log Files . 139Set the Maximum Size of Each Local Log file. 140Additional Concepts and Tasks. 141Chapter 13: System Maintenance and Disaster Recovery. 143Backing Up the Appliance Primary Internal Database . 143Back Up Now . 144Schedule Backups . 145Restoring the Database from a Backup. 145Choosing a Method to Restore the Database . 146Restoring the System Directly to the Appliance Primary . 148Restoring the System from a Backup File to a Promoted Appliance Replica . 150Detecting a Failed Appliance Primary or Appliance Replica . 153Determining Why an Appliance Might Stop Responding . 154What To Do When an Appliance Primary Stops Responding. 154What To Do When an Appliance Replica Stops Responding . 155Promoting an Appliance Replica to the Appliance Primary Overview . 155The Promotion Process . 155Task 1: Identify the Appliance Replica You Want to Promote . 156Task 2: Promote the Selected Appliance Replica . 156Task 3: Reattach all Appliance Replicas to the New Appliance Primary . 156Task 4: Configuring RADIUS After Promoting an Appliance Replica . 157Promoting an Appliance Replica to the Appliance Primary . 157Reattaching Appliance Replicas to the New Appliance Primary . 159Attaching the Demoted Appliance Primary as an Appliance Replica . 161Turning a Promoted Appliance Replica into a Standalone Appliance Primary. 162Configuring RADIUS After Promoting an Appliance Replica . 163Setting the Location of the New Appliance Primary . 163Promoting the RADIUS Replica Server to the RADIUS Primary Server . 164Reconfiguring CT-KIP After Promoting a Replica . 164Restoring System Defaults on the Appliance . 165Additional Tasks . 166Appendix A: Troubleshooting . 167Common Problems and Resolutions . 167Importing Logs from the Old Appliance Primary. 169Reattaching a Problem Appliance Replica to the New Appliance Primary. 170Additional Tasks . 171Contents9
RSA SecurID Appliance 3.0 Owner’s GuideAppendix B: Installing the RSA Authentication Manager MMCExtension . 173MMC Extension Overview . 173System Requirements and Prerequisite. 173Installation Process . 174Installing the MMC Extension for Local Access. 174Installing the MMC Extension for Remote Access . 174Post-Installation . 176Configuring Internet Explorer Security Settings . 176Starting the Active Directory User and Computer Management Console. 177Appendix C: Sample Deployment Scenarios . 179Acronyms Used in These Scenarios. 179Summary of Scenario Elements . 180Scenario 1: Using an RSA SecurID Appliance Base Server License for Secure Internal, Remote, and Wireless Access for a Single-Site Business . 182Scenario 2: Using an RSA SecurID Appliance Enterprise Server License for Secure Internal, Remote, and Wireless Access for a Large International Enterprise . 188Additional Concepts. 195Glossary . 197Index . 20110Contents
RSA SecurID Appliance 3.0 Owner’s GuidePrefaceAbout This GuideThis guide is intended for administrators who are planning and implementing anRSA SecurID Appliance 3.0 deployment.Because RSA SecurID Appliance 3.0 is a preinstalled instance of RSA AuthenticationManager 7.1, you must refer to both the RSA SecurID Appliance 3.0 and theRSA Authentication Manager documentation sets. This guide contains theinformation needed to set up and administer a basic Authentication Managerdeployment using the Appliance, and it includes any Appliance-specific informationthat is different from Authentication Manager.For information on some of the optional or advanced Authentication Manager tasksand concepts, this guide includes an “Additional Tasks” or “Additional Concepts”section at the end of most chapters. These sections contain links to information in theapplicable Authentication Manager Help s
RSA SecurID Appliance 3.0 Owner's Guide Revision History 3 Revision History Revision Number Date Revision 1 September 2009 Revised backup and restore procedures. Updated information about replica package expiration. Added procedure for changing Appliance replica IP address. Added information about obtaining current documentation from RSA SecurCare Online.
