Deployment​ of RSA Authentication Manager

RSA Authentication Manager deployment means we are setting up a primary instance, replica instance and authentication agents.

Primary Instance is the place all administration tasks( user management, token management, token assigning to a user, agent registration and etc.) take place. And It is the responsible to handling the authentication requests.

Replica Instance provides redundancy of primary instance and authenticates the users. RSA recommends on deployment you should have both primary and replica instances. RSA Authentication Manager 8.1 supports up to 15 Replica instances.

According to the documentation of RSA, RSA Authentication Manager supports VMware virtual appliance, a Hyper-V virtual appliance, and a hardware appliance.

Virtual Appliance is pre configured VM image, It is ready to run in hypervisor. Installation of Software appliances into virtual machine and packaged into an image makes and virtual appliance.

RSA Authentication Manager Virtual Appliacne is consist of Linux operating system that is installed Authenticaiton Manager, RSA Radius Server software and insternal databases

 

Hyper Visor is alos known as Virual Machine Manager, This allows multiple operating system to runs on a single shared host. Each operating system is allowed to allocating their own resours, but the hypervisor know what is the need of each and allocate resources without ditrupt others.

 

download.jpg
RSA Authentication Manager Hardware Appliance

VMware Virtual Appliance can be deployed on VMware VCenter Server or VMware ESxi Server on a given host machine. Install VMware ESxi Server and configure it.

The Hardware requirement  for RSA Authentication Manager is as follow:

Disk Space 100 GB
4 GB swap file
Memory Requirements  8 GB
CPU Two virtual CPUs

The following video showed you how to install and configure VMware ESxi 5.5 in your physical server.

Next, we will see how to install RSA Virtual Appliance on VMware ESxi Server. For this, you need to install VSpher Client. VSpher Client is available for Windows you can download and install your machine in front of you.

Follow these steps to configure your RSA Authentication Manager :

  1.  In the VMware vSphere Client, log on to the VMware ESXi server.
  2. Select File > Deploy OVF Template to start the deployment wizard.
  3. On the Source window, under Deploy from a File or URL, click Browse, and
    locate the RSA Authentication Manager OVA file to deploy. Click Next.
  4. On the OVF Template Details window, verify that “RSA Authentication
    Manager” and the expected version number displays. Click Next.
  5. On the End User License Agreement window, scroll to read the agreement. Click Accept, and Next.
  6. On the Name and Location window, enter a Name for the virtual appliance, and click Next.
  7. On the Datastore window, select a directory for the virtual machine files. A VMware datastore can be a location such as a Virtual Machine File System (VMFS) volume, a directory on Network Attached Storage, or a local file system path. Click Next.
  8. On the Disk Format window, select a format for storing virtual disks.
  9. On the Network Mapping window, select the networks for the virtual appliance.Click Next.
  10. On the Ready to Complete window, review your settings, and click Finish.VMware requires approximately five minutes to deploy the virtual appliance.
  11. Power on the virtual machine.
  12. For the virtual appliance, click the Console tab.The OS Console displays the progress of the boot sequence.
  13. Wait for 30 seconds to select the default keyboard layout, English (United States).To select a different keyboard layout, press any key and follow the instructions on the screen.
  14. When you are prompted by the OS Console, enter the following IPv4 network settings for the virtual appliance:
    Fully Qualified Hostname
    IP Address
    Subnet Mask
    Default Gateway
    (Optional) DNS Server Configuration
    Note: If your deployment uses IPv6-compliant agents, you can add IPv6 network settings in the Operations Console after Quick Setup is complete.
  15. Verify that the settings are correct. To accept the settings, type y, or wait 30 seconds.
  16. When the virtual appliance is deployed, the OS Console displays the Quick Setup URL and the Quick Setup Access Code. Record the following required information:The Quick Setup URL includes the IP address that you entered in step 14.https://<IP Address>/Quick Setup uses an IP address. The administrative consoles that are available after Quick Setup complete use a fully qualified domain name (FQDN).

    The Quick Setup Access Code is required to initiate Quick Setup.

  17. Enter the Quick Setup URL in the browser, including https, and press ENTER:https://<IP Address>/

 

I hope you can access your security console.

 

References :

  1. RSA ® Authentication Manager 8.1 Setup and Configuration Guide

RSA SecurID​ 2FA

RSA SecurID is the most popular and widely used 2-factor authentication mechanism. It has given more convenient access for any user from anywhere.It gives strong and secure access to the enterprise’s infrastructure.

RSA SecurID is based on token-based authentication. Tokens are two types. – hardware and software tokens. The tokens are generated using a built-in clock and embedded factory-encoded-random key ( so-called seeds ). The seed record is unique for each token generated software or hardware tokens.

image002.jpg

In RSA Authentication process there are three major components participate. The components are as follow.

  1. RSA Authentication Manager :
    This is responsible handling authentication requests and managing authentication agents, users reports, block the users, backups and etc.
  2. Agents :
    It is responsible to capture user credential from the users and pass the credential to the RSA Authentication Manager for authentications.
  3. Authenticators ( Tokens ) :
    Which mainly available in two formats Software tokens and Hardware tokens(key fobs, cards) they generating tokens within the specified small time intervals.

User Authentication flow in RSA SecurID is mechanishm is Untitled Diagram (3).pngAs shown in the above image use case is as follow.

  1. User enters the UserID, PIN and Token Code
  2. Agent Pass the Credintials to the RSA Authentication Manager
  3. AuthenticationManager Verifies allow/denied the user and send back the reply to agent.
  4. Then the user get response either he is allow the access or denied the access.

When we go in detail to each and every component of RSA Authentication flow deeply.

Agent

SecurID agents are a piece of software which is sit in front and protect resources. The main functionality of the agent is passing the user credentials to the Authentication Manager. We can use the existing agent or build our own customised agent using authentication agent API.

RSA Authentication Manager

When the credentials present in the authentication manager, Then the RSA Authentication Manager ready to authenticate the user. Rather than user credentials authentication manager also collecting information about what time the authentication request had come.

Finally, these are the information RSA Authentication Manager have before processing the Authentication Request.

  • Request Received Time
  • RSA User ID
  • Token Code
  • PIN

Untitled Diagram (4).png

As explain in the above diagram. When the RSA Authentication Manager receives an authentication request then it validates the user id and PIN are correct.

If the userid & PIN are equals, Then the seed record of user’s assigned token is taken from the Identity Source.

Then using token code is generated using seed record and user entered token code received time.

Finally validated generated token code and the user enters token code are equal or not.

Next : Deploying The RSA Authentication Manager

 

Maven: includes external library into your project.

Maven dependency management environtment is the most relevant part in Maven Build Tools. Every developer who user maven as their build tool they should know about the maven depency management.

In this post I assume you know what is maven dependency management and I introuduce you about how in add external libray which you want to really reside in your project and how to include that dependency in your pom.

Normally you know all depencies are comes under the tags.

<dependencies>
            ....
            ....
</dependencies>

If you are add your dependency inside the pom. you have to mentioned the path like as follow in your dependency

Capture.PNG

Focuse on the dependency authapi.jar and how to include the external jar library into your project. You may include this jar like as follow

<dependency>
 <groupId>com.rsa.authagent.authapi</groupId>
 <artifactId>rsa-auth-api</artifactId>
 <version>1.0</version>
 <scope>system</scope>
 <systemPath>${project.basedir}/src/main/resources/authapi.jar</systemPath> </dependency>

Setting up NTP server

Network Time Protocol, NTP server is  an internet protocol which is responsible for syncing clock to some references.

you may have experience in some situation times are different in different devices. This issue might be lead to big problems. There are so many Time based algorithms are run for different purposes. If one computer time is forward / back to another the algorithm must be failed on running in different devices.

Isolated networks may run their own wrong time, but as soon as you connect to the Internet, effects will be visible. Just imagine some Email message arrived five minutes before it was sent, and there even was a reply two minutes before the message was sent.

I have experienced this issue while using RSA SecurId authenticators. RSA SecurId authenitcation is using the Time based algorithm. I’m runnung RSA Authentication Manager in my local machine and try to run the algorithm. It is some how failed I try to figure out the issue. The RSA Authentication Manager Virtual applicance time is back in 1 minute from my local computer time.

I fixed the above-mentioned issue by setting up the NTP protocol in the RSA Authentication Manager server. It is the same way wherever you are going to setup NTP protocol on a server.

There are so many dedicated servers run for NTP protocol. You can able to find the server from the following link

http://www.pool.ntp.org/en/

How do we setup the NTP server? Just one line of command trigger you to give a correct time.

sntp -P no -r asia.pool.ntp.org

That’s it your server is set to the global time. Consider I set the Asia server. you can set your own region.

Need to read more :

  1. http://www.ntp.org/ntpfaq/NTP-s-def.htm
  2. https://en.wikipedia.org/wiki/Network_Time_Protocol
  3. http://www.pool.ntp.org/en/

Thank you for reading.

 

WSO2 Identity Server

In industry first Enterprises Identity Bus(EIB), WSO2 Identity Server(WSO2 IS) is the checkpoint for connecting and maintaining multiple entities across the applications and APIs, cloud and mobile bases.

WSO2 Identity Server is an open source project with a lot of improvements on its newer versions. It is an ongoing project and it is currently releasing it’s version 5.1.0 while I’m writing this blog post.

Why we need this WSO2 Identity Server ?

The Question on each post you read why I’m going to read this post? what are the benefits to reading it? , yes! I know the same question arises from your mind. why we need this identity server?. Here is the answer to your question.

Today’s enterprise’s world lot of entities are connected and the massive amount of security and valuable information are shared remotely in the bat of an eyelid.Normally social login or other federated logins are integrated with enterprises applications. They allow the users to access the confidential information through their social network or other federated network credentials. Here is the problem comes through, The enterprise need to validate the individual identity and ensure the security and the ease of access. here the WSO2 IS do a massive job to overcome this issue.

How the WSO2 IS Architecture is?

The WSO2 IS is built on top of WSO2 Carbon The following diagram shows you about the architecture process flow

image2015-5-2520193a413a56
WSO2 Identity Server Architecture Process Flow

Service Provider(SP), which is an entity providing web services. It is configured with Identity Providers(Idp). From the above image WSO2 IS is the Idp provider for the service provider. Here, A user of SP is trying to log in with one of the SP application, the request is sent to the Idp’s Inbound authentication component in the above image.You can configure the SP in WSO2 IS following this guide.

Identity Provider, which is responsible for authorization and authentications.

Inbound Authentication Components :

  • SAML SSO – Open standard for representing and exchanging user identity & authentication data.
  • OAuth/OpenId Connect – which is provide 3 phases of authentication flow
    1. Requesting for an access token
    2. Exchanging the access token
    3. Accessing the resources using the access tokens
  • OpenId
  • Passive STS

You can configure any of the Inbound Authentication methods once the requirements are met the request forward to Authentication Framework

Authentication Framework, claim management is a key step of IS. It is used to mapping local user claim to SP and vice versa. also, map local claim to Idp claims. How this claim mapping is useful in the authentication context as follow

  1. Inbound Authentication Component sends the authentication request to the IN channel of the authentication framework.
  2. Claim mapping is checked and if it is done then the request is sent forward to Local Authenticator or Federated Authenticator.
  3. Once the authentication framework is complete then the response is sent from the Local Authenticator / Federated Authenticator OUT channel of the authentication framework.

Learn more about go here.

How to run the Identity Server, Just follow these steps :

  1. Download WSO2 IS from here
    download
  2. Setting up the JAVA_HOME in your environment variable.
  3. Run the server by executing this command in
    in Linux
    sh wso2server.sh
    in Windows
    wso2server.bat --run
    Capture
  4. Once the server start is completed. Then open your favourite browser and go the URLhttps://localhost:9443/carbon/
  5. Then you will see the management console UI. go ahead with
    username : admin
    password: admin

References :

  1. http://wso2.com/products/identity-server/
  2. https://docs.wso2.com/display/IS500/Introducing+the+Identity+Server

Thank you for your reading. Stay tune for more about …..