RSA SecurID Support

PortalGuard version 4.3 and later supports the use of RSA SecurID tokens. They are simply an additional OTP type supported by the PortalGuard platform.

Requirements

  • PortalGuard server must have network connectivity to the RSA Authentication Manager server(s)
  • You must be an active RSA customer with access to the RSA customer center

Deployment Instructions

NOTE: In all steps below, please substitute PG_ROOT with the location where you installed PortalGuard. The default path is C:\Program Files\PistolStar\PortalGuard

  1. Create a new folder named “RSA” under PG_ROOT\Policies and give the “Modify” and “Write” security privileges to the DefaultAppPool identity.

  1. Create a new “RSA” folder under PG_ROOT\Logs. This ACL does not need changes.
  2. Download the RSA SecurID Authentication Agent API 8.5 from https://knowledge.rsasecurity.com (will need to login with an active RSA account). The root download document is above but you can also reach it by searching for “agent api”.

NOTE: Be sure to download the “C” language version (link as of 2014/09/03), NOT Java.

  1. Extract the RSA API zip file and from the “SDK Root\lib\64bit\nt\Release” folder, copy the following files to PG_ROOT\bin:
    1. aceclnt.dll
    2. aceclnt_tcp.dll
    3. sdmsg.dll
    4. xerces-c_3_1_vc80.dll

NOTE: On 32-bit systems, copy the files from “SDK Root\lib\32bit\nt\Release”

  1. Register the PortalGuard agent as a new agent host in the RSA Security Console from the Access -> Authentication Agents -> Add New menu item.

  1. Set the “Hostname” field as “PortalGuardAgent”, leave the “IP Address” field blank and add all IP addresses of the PortalGuard server as “Alternate IP Addresses”. You can leave all other settings as the default values/blank and click the “Save” button at the bottom.
  2. Export the RSA agent configuration from the Access -> Authentication Agents -> Generate Configuration File menu item (only change the default values if necessary). This will be named AM_Config.zip by default.
  3. Copy RSA’s AM_Config.zip file to the PortalGuard server.
  4. If PG is installed in a non-standard location, edit the following values in PG_ROOT\bin\rsa_api.properties to match the customized folder:
    1. SDCONF_LOC
    2. RSA_CONFIG_DATA_LOC
    3. RSA_LOG_FILE_LOC

NOTE: If the rsa_api.properties file is not present, then you have not yet installed PortalGuard version 4.3 or higher – it is always included in these versions.

  1. Unzip AM_Config.zip and copy the following files to the PG_ROOT\Policies\RSA folder:
    1. sdconf.rec
    2. failover.dat

NOTE: If you are using manual load balancing, also copy the sdopts.rec file to the same folder.

  1. Run "iisreset" from an administrative command prompt.
  2. In the PortalGuard Configuration Editor (PG_Config.exe):
    1. Enable RSA SecurID in the Bootstrap under the Services -> H/W Tokens -> RSA tab.

    1. Configure a PortalGuard Security Policy for intended RSA behavior (e.g. when entry of passcode is acceptable). You must first enable RSA on the security policy as an authentication method (shown below). Please see the field label help within the PortalGuard Configuration Editor for more detailed information.

    1. Apply all changes to PortalGuard server
  1. To confirm RSA support was successfully initialized, the PG_ROOT\Policies\RSA folder should contain three new files:
    1. bootstrap.xml
    2. config.xml
    3. root.cer

Please see the troubleshooting section below if those files are not preset.

After successfully following these steps, the PortalGuard server should be capable of validating RSA SecurID tokens.

Troubleshooting RSA Errors

In addition to runtime logging in the standard PortalGuard PG_Log_YYYY-MM-DD.txt files, RSA’s agent API logs its information to PG_ROOT\Logs\RSA\aceclnt.log.

General Checks

  • Ensure the PortalGuard server can resolve the RSA Authentication Manager server name and reach it on the network. Initialization will fail if it cannot be reached.

Specific aceclnt.log Error Messages

Message

java.net.UnknownHostException: <PortalGuard server name>

Cause

DNS cannot resolve the PortalGuard server host name to an IP

Fix

Update DNS so RSA Authentication Manager can resolve the PG server name

Message

Domain objects not found for agent

Cause

The IP address of the PortalGuard server as seen from the Authentication Manager was not recognized.

Fix

Add the appropriate IP as an “Alternate IP Address” for the “PortalGuardAgent” Authentication Agent in the RSA Security Console.