Transcription of RSA Authentication Manager 8.1 Administrator’s …
1 RSA Authentication Manager Administrator s GuideRevision 1 Copyright 1994-2014 EMC Corporation. All Rights Reserved. Published in the 2013 Revised: December 2014 Contact InformationGo to the RSA corporate website for regional Customer Support telephone and fax numbers: , the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to #rsa. License AgreementThis software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred.
2 Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal software is subject to change without notice and should not be construed as a commitment by LicensesThis product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed on the product documentation page on RSA SecurCare Online. By using this product, a user of this product agrees to be fully bound by terms of the license on Encryption TechnologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this , copying, and distribution of any EMC software described in this publication requires an applicable software believes the information in this publication is accurate as of its publication date.
3 The information is subject to change without INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR Authentication Manager Administrator s GuideContentsRevision 19 About This 19 RSA Authentication Manager Documentation .. 19 Related 20 Support and Service .. 20 Before You Call Customer Support .. 21 Chapter 1: RSA Authentication Manager 23 Introduction to RSA Authentication Manager .. 23 Multifactor Authentication .. 23 Key Components for RSA Authentication Manager .. 24 Primary Instance .. 24 Replica Instance .. 25 Identity Sources .. 25 RSA Authentication 25 Risk-Based Authentication for a Web-Based Resource .. 26 RSA RADIUS Overview .. 26 Web Tier .. 27 Load Balancer .. 28 RSA SecurID Authentication Overview.
4 28 RSA SecurID Authentication Process .. 29 RSA SecurID 30 The Role of RSA Authentication Manager In SecurID Authentication .. 32On-Demand Authentication .. 32On-Demand Authentication User Logon 33 Risk-Based Authentication .. 33 Risk-Based Authentication Prevents Data Loss from Stolen Passwords .. 34 How Risk-Based Authentication Works .. 35 Chapter 2: Preparing RSA Authentication Manager for 37 Security Console ..37 Log On to the Security 38 Security Console 38 Security Console 41 Configure Security Console Authentication Methods .. 41 Identity 42 Data from an LDAP 43 Data from the Internal Database .. 434 ContentsRSA Authentication Manager Administrator s GuideSecurity Domain 43 User Organization and Management .. 43 Policy 44 Scope of Administrator s Control .. 44 Security Domains and Policies .. 45 Add a Security 45 Default Security Domain Mappings .. 47 Planning for Domain Name System Updates.
5 48 Administrative Role Overview .. 48 Types of Administrative Roles .. 48 Administrative Role 49 Administrative Role 50 Predefined Administrative Roles .. 55 Administrative Role Settings .. 60 Administrative Role Scope and Permissions .. 61 Add an Administrative Role .. 63 Assign an Administrative Role .. 64 View Available Permissions of an Administrator .. 65 Chapter 3: Deploying Authentication 67 RSA Authentication 67 Authentication Agent Types .. 67 Obtaining RSA Authentication 67 Deploying an Authentication Agent .. 68 Generate the Authentication Manager Configuration File .. 69 Add an Authentication Agent .. 70 Node Secret for 72 Manual Delivery of the Node Secret .. 72 Manage the Node Secret .. 73 Refresh the Node Secret Using the Node Secret Load 73 Automatic Agent Registration .. 74 Allow an Agent to Auto-Register .. 75 Download an RSA Authentication Manager Server Certificate .. 75 Contact Lists for Authentication 76 Automatic Contact Lists.
6 76 Manual Contact Lists .. 77 Chapter 4: Configuring Authentication 79 Policies .. 79 Token Policy .. 80 Token Policy Settings .. 81 Add a Token Policy .. 84 Offline Authentication Policy .. 86 Offline Authentication Policy Settings .. 86 Add an Offline Authentication Policy .. 88 Contents5 RSA Authentication Manager Administrator s GuidePassword Policy ..89 Password Policy Settings .. 90 Add a Password Policy .. 93 Lockout Policy ..94 Lockout Policy Settings .. 94 Add a Lockout Policy .. 95 Self-Service Troubleshooting Policy .. 96 Self-Service Troubleshooting Policy Settings .. 96 Add a Self-Service Troubleshooting Policy .. 97 Risk-Based Authentication 98 Risk-Based Authentication (RBA) Policy Settings .. 98 Add a Risk-Based Authentication Policy .. 99 Risk-Based Authentication Message Policy .. 101 Risk-Based Authentication Message Policy Settings .. 101 Add a Risk-Based Authentication Message Policy.
7 101 Chapter 5: Integrating LDAP 103 Identity from an LDAP 103 Data from the Internal Database .. 104 Identity Source Data Flow .. 104 Identity Source 105 Identity Source Scope .. 109 Active Directory Identity Sources that are Not Global Directory Global Catalog Identity Sources .. 111 Configure the Active Directory Connection Time-Out ..114 Integrating an LDAP Directory as an Identity Source ..114 Add an Identity Source .. 115 Link an Identity Source to the System .. 117 Verify the LDAP Directory Identity Source .. 117 Failover Servers .. 117 Securing the Communications Path ..119 Identity Source SSL 119 Password Policy for Active Directory .. 121 Custom Attribute Mapping .. 121 Identity Source User Attributes .. 122 Unique Identifier Attribute .. 122 User Account Enabled State Attribute .. 123 Chapter 6: Administering 125 Common User Administration 125 Add a User to the Internal Database.
8 125 User Status .. 127 Disable a User Account .. 127 Enable a User Account .. 1276 ContentsRSA Authentication Manager Administrator s GuideSecurity Domains to Organize Users .. 128 Move Users Between Security Domains .. 128 Duplicate User 129 User Authentication .. 129 Manage User Authentication Settings .. 129 Logon 131 Unlock a User .. 131 Incorrect Passcode 132 Managing Security Questions .. 132 Set Requirements for Security Questions .. 133 Custom Security 133 Modify the Security Questions File .. 134 Emergency Online 135 Assign a Set of One-Time Tokencodes .. 136 Assign a Temporary Fixed Tokencode .. 137 Emergency Offline Authentication .. 138 Provide an Offline Emergency Access Tokencode .. 138 Provide an Offline Emergency Passcode .. 139 RSA SecurID 140 Set an Initial On-Demand Authentication PIN for a User .. 140 Clear a User's On-Demand Authentication PIN .. 141 Require Users to Change Their RSA SecurID 141 Clear an RSA SecurID PIN.
9 142 Obtain the PIN Unlocking Key for an RSA SecurID 800 Authenticator .. 142 Import PIN Unlocking Keys .. 143 User Groups ..144 User Group Organization .. 144 User Group Characteristics .. 144 Creating User Groups .. 145 Internal User 145 Add a User Group .. 146 Add a User to a User 146 Controlling User Access With Authentication Agents .. 147 Configuring a Restricted Agent to Control User Access .. 148 Restricted Access Times for User Groups .. 149 Access to Restricted Agents by Active Directory 151 View User Groups Allowed to Authenticate on a Restricted Agent .. 151 User Data in an LDAP Directory .. 152 How a User Becomes Unresolvable .. 152 How a User Group Becomes Unresolvable .. 152 Manual Cleanup for Unresolvable 153 Clean Up Unresolvable Users Manually .. 153 Scheduling Cleanup for Unresolvable Users and User Groups .. 154 Schedule a Cleanup Job .. 156 Contents7 RSA Authentication Manager Administrator s GuideMoving Users in an LDAP Directory.
10 157 Modifying a User in an LDAP Directory .. 160 Modifying Group Membership in an LDAP Directory .. 161 Chapter 7: Administering RSA Authentication 163 Delegated System Administration .. 163 Super Admin .. 163 Operations Console 163 System Administrator Accounts .. 163 Authentication Manager Administrator Accounts .. 164 Appliance Operating System 165 Add a Super 165 Add an Operations Console Administrator .. 166 Change an Operations Console Administrator's Password .. 166 Operations Console .. 167 Log On to the Operations Console .. 167 Session Lifetime Limits .. 168 Types of Session Lifetime Limits .. 169 Edit Session Lifetime Settings .. 169 Updating Identity Source Properties .. 170 Unlink Identity Sources from the 170 Edit an Identity Source .. 171 Link an Identity Source to the System .. 172 Verify the LDAP Directory Identity Source .. 172 Certificate Management for Secure Sockets 172 Console Certificate.
