Portal Guard Support For RSA Secur ID
PortalGuard support for RSA SecurID
You have an installation of PortalGuard / are considering purchasing PortalGuard and would like to know if PortalGuard offers support for your RSA SecurID tokens.
PortalGuard version 4.3 and later supports the use of RSA SecurID tokens. They are simply an additional OTP type supported by the PortalGuard platform.
• PortalGuard server must have network connectivity to the RSA Authentication Manager server(s) • You must be an active RSA customer with access to the RSA customer center
NOTE: In all steps below, please substitute PG_ROOT with the location where you installed PortalGuard. The default path is C:\Program Files\PistolStar\PortalGuard
1. Create a new folder named “RSA” under PG_ROOT\Policies and give the “Modify” and “Write” security privileges to the DefaultAppPool identity.
2. Create a new “RSA” folder under PG_ROOT\Logs. This ACL does not need changes.
3. Download the RSA SecurID Authentication Agent API 8.5 from https://knowledge.rsasecurity.com (will need to login with an active RSA account). The root download document is above but you can also reach it by searching for “agent api”.
NOTE: Be sure to download the “C” language version, not the Java version.
4.Extract the RSA API zip file and from the “SDK Root\lib\64bit\nt\Release” folder, copy the following files to PG_ROOT\bin:
Note: On 32-bit systems, copy the files from “SDK Root\lib\32bit\nt\Release”
5. Register the PortalGuard agent as a new agent host in the RSA Security Console from the Access -> Authentication Agents -> Add New menu item.
6. Set the “Hostname” field as “PortalGuardAgent”, leave the “IP Address” field blank and add all IP addresses of the PortalGuard server as “Alternate IP Addresses”. You can leave all other settings as the default values/blank and click the “Save” button at the bottom.
7. Export the RSA agent configuration from the Access -> Authentication Agents -> Generate Configuration File menu item (only change the default values if necessary). This will be named AM_Config.zip by default.
8. Copy RSA’s AM_Config.zip file to the PortalGuard server.
9. If PG is installed in a non-standard location, edit the following values in PG_ROOT\bin\rsa_api.properties to match the customized folder:
Note: If the rsa_api.properties file is not present, then you have not yet installed PortalGuard version 4.3 or higher – it is always included in these versions.
10. Unzip AM_Config.zip and copy the following files to the PG_ROOT\Policies\RSA folder:
Note: If you are using manual load balancing, also copy the sdopts.rec file to the same folder.
11. Run "iisreset" from an administrative command prompt.
12. In the PortalGuard Configuration Editor (PG_Config.exe):
a. Enable RSA SecurID in the Bootstrap under the Services -> H/W Tokens -> RSA tab.
b. Configure a PortalGuard Security Policy for intended RSA behavior (e.g. when entry of passcode is acceptable). You must first enable RSA on the security policy as an authentication method (shown below). Please see the field label help within the PortalGuard Configuration Editor for more detailed information.
c. Apply all changes to PortalGuard server
13. To confirm RSA support was successfully initialized, the PG_ROOT\Policies\RSA folder should contain three new files:
Please see the troubleshooting section below if those files are not preset.
After successfully following these steps, the PortalGuard server should be capable of validating RSA SecurID tokens.
Troubleshooting RSA Errors
In addition to runtime logging in the standard PortalGuard PG_Log_YYYY-MM-DD.txt files, RSA’s agent API logs its information to PG_ROOT\Logs\RSA\aceclnt.log.
General Checks - Ensure the PortalGuard server can resolve the RSA Authentication Manager server name and reach it on the network. Initialization will fail if it cannot be reached.
Specific aceclnt.log Error Messages