Download RSA Authentication Manager 7.1 Installation and Configuration Guide PDF

TitleRSA Authentication Manager 7.1 Installation and Configuration Guide
LanguageEnglish
File Size2.0 MB
Total Pages221
Table of Contents
                            Contents
	Preface
		About This Guide
		RSA Authentication Manager Documentation
		Related Documentation
		Getting Support and Service
			Before You Call Customer Support
	Preparing for Installation
		Hardware and Operating System Requirements
			Windows System Requirements
			Linux System Requirements
			Solaris System Requirements
		Supported Data Stores
			Internal Database
			Identity Sources
		Supported Browsers
		Port Usage
		Supported RSA Authentication Agents
		Licensing
		Maintaining Accurate System Time Settings
		RSA Authentication Manager Components
		Installation Types
			Primary Instance
			Replica Instance
			Server Node
			Database Only
			Documentation Only
			RADIUS Only
		Pre-Installation Tasks
			Pre-Installation Checklist for Windows
			Pre-Installation Checklist for Solaris
			Pre-Installation Checklist for Linux
	Identifying the Installation Process for Your Deployment Model
		Planning Your Deployment
		Deployment Process
		Deployment Examples
			Small, Single-Site Deployment
			Medium, Single-Site Deployment
			Large, Multisite Single-Realm Deployment
			Large, Multisite Trusted Realm Deployment
	Installing an RSA Authentication Manager Primary Instance
		Preparing to Install a Primary Instance
			Synchronizing Clocks
			Mounting the Media on Linux
			Mounting an ISO Image
		Performing an Installation
		Securing Backup Files
	Installing a Replica Instance
		Preparing to Install a Replica Instance
			Generating a Replica Package File
			Transferring the Replica Package File
			Copying the RSA RADIUS Replica Package File
		Performing an Installation
		Rebalancing Contact Lists
		Securing Backup Files
	Installing a Server Node
		Preparing to Install a Server Node
			Creating a Node Package File
			Transferring the Node Package File
		Performing an Installation
		Rebalancing Contact Lists
		Securing Backup Files
		Verifying Server Node Function
	Installing the RSA Authentication Manager Database on a Separate Machine
		Preparing to Install the Database on a Separate Machine
		Performing a Standalone Database Installation
		Generating a Database Package File
		Transferring the Database Package File
		Verifying That the Database Installed Successfully
	Installing RSA RADIUS on a Separate Machine
		Preparing to Install RSA RADIUS on a Separate Machine
			RSA RADIUS and Firewalls
			RSA RADIUS Access Planning
		Pre-Installation Tasks
			Creating an RSA RADIUS Package File
			Copying the RSA RADIUS Package File
		Installing RSA RADIUS
			Installing an RSA RADIUS Primary Server
			Installing an RSA RADIUS Replica Server
	Upgrading from RSA Authentication Manager 7.0
		Upgrading a Primary Instance
			Preparing to Upgrade a Primary Instance
			Performing an Upgrade on a Primary Instance
			Migrating User Data on a Primary Instance
		Upgrading a Replica Instance
			Preparing to Upgrade a Replica Instance
			Performing an Upgrade on a Replica Instance
			Migrating User Data on a Replica Instance
		Upgrading a Server Node
		Verifying the Upgrade
	Performing Post-Installation Tasks
		Backing Up a Standalone Primary Instance
			When To Perform a Backup
			Backing Up a Standalone Primary Instance on Windows
			Backing Up a Standalone Primary Instance on Linux and Solaris
		Securing the Connection Between the Primary Instance and Replica Instances
		Synchronizing Clocks
		Starting and Stopping RSA Authentication Manager Services
			Starting and Stopping RSA Authentication Manager Services on Windows
			Starting and Stopping RSA Authentication Manager Services on Solaris and Linux
		Configuring Your Browser to Support the RSA Authentication Manager Consoles
			Enabling JavaScript
			Adding the RSA Security Console to Trusted Sites
			Logging On to the Consoles
		Administering System Security
			Managing Passwords and Keys
			Managing Certificates and Keystores for SSL
			Importing LDAP Certificates
			Legacy Compatibility Keystore
		Configuring Optional Proxy Servers for Remote Token-Key Generation
			Adding a Proxy Server to Create Secure URLs
			Configuring a Proxy Server for CT-KIP Failover
		Configuring an Optional Proxy Server for Remote RSA Self-Service Console Access
			Adding a Proxy Server for Secure RSA Self-Service Console Access
			Configuring a Proxy Server for RSA Self-Service Console Failover
		Integrating the RSA RADIUS Server into the Existing Deployment
			Modifying the RADIUS Configuration Files
			Using the RSA Security Console to Replicate Changes
			Adding Clients to the RADIUS Server and Editing Clients
		Testing RSA RADIUS Operation
	Integrating an LDAP Directory
		Overview of LDAP Directory Integration
			Integrating an LDAP Identity Source
			Failover Directory Servers
			Mapping Identity Attributes for Active Directory
			Integrating Active Directory Forest Identity Sources
		Preparing for LDAP Integration
			Setting Up SSL for LDAP
			Password Policy Considerations
			Supporting Groups
			Active Directory Forest Considerations
		Adding an Identity Source
		Linking an Identity Source to a Realm
		Verifying the LDAP Identity Source
	Installing the RSA Authentication Manager MMC Extension
		MMC Extension Overview
		System Requirements and Prerequisite
		Installation Process
			Installing the MMC Extension for Local Access
			Installing the MMC Extension for Remote Access
		Post-Installation
			Configuring Internet Explorer Security Settings
			Starting the Active Directory User and Computer Management Console
	Removing RSA Authentication Manager
		Removing RSA Authentication Manager Servers
		Removing a Server Node
		Removing a Replica Database Server
			Manual Cleanup for Unsuccessful Removal
		Rebalancing Contact Lists
		Removing a Primary Database Server
		Removing an RSA RADIUS Server
		Removing a Standalone Database Server
	Troubleshooting
		Accessing Installation Files On a Network
		Unsuccessful Installation or Removal
			Viewing Installation Logs
			Unsuccessful Installation
			Unsuccessful Removal
			Reinstalling RSA Authentication Manager Components
			Cleanup Script for Reinstallation (Windows Only)
			Cleanup for Linux Systems
			Obscured Error Messages
		Server Does Not Start
			RADIUS Server Does Not Start After Installation on a Windows Platform
		RSA Security Console Does Not Start
			Using the Collect Product Information Utility
		MMC Extension Does Not Start
		Multicast Network Communication Fails
		Message Indicates Node Manager Service Not Started
		Test Authentication Between RSA RADIUS and RSA Authentication Manager Unsuccessful
		Unsuccessful End-to-End Authentication on RSA RADIUS
		The RSA Security Console Times Out When Searching for Users
		Unable to Receive Multicast Packets Sent to Self
	Deployment Checklist
		Pre-Installation
		Installation
		Identity Source Configuration
		Administrative Configuration
		Administrative Configuration for Self-Service and Provisioning
		Post-Installation
	Command Line Utilities
		Overview
		Collect Product Information Utility
			Using the Collect Product Information Utility
			Options for collect-product-info
		Data Migration Utility
			Using the Data Migration Utility
			Options for migrate-amapp
		Generate RADIUS Package Utility
			Using the Generate RADIUS Package Utility
			Options for gen-radius-pkg
		Manage Nodes Utility
			Using the Manage Nodes Utility
			Options for manage-nodes
		Manage Secrets Utility
			Using the Manage Secrets Utility
			Options for manage-secrets
		Manage SSL Certificate Utility
			Using the Manage SSL Certificate Utility
			Options for manage-ssl-certificate
		Multicast Network Test Utility
			Utility Messages
			Examples
			Using the Multicast Network Test Utility
			Options for test-multicast
		Setup Replication Utility
			Using the Setup Replication Utility
			Options for setup-replication
	Glossary
	Index
		A
		B
		C
		D
		E
		F
		G
		H
		I
		J
		K
		L
		M
		N
		O
		P
		R
		S
		T
		U
		V
		W
                        
Document Text Contents
Page 1

RSA Authentication Manager 7.1
Installation and Configuration Guide

Page 2

Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks
RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the
most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of
EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies.

License agreement
This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below.
This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other
person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to
third-party software in this product may be viewed in the thirdpartylicenses.html files.

Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.

Distribution
Limit distribution of this document to trusted personnel.

RSA notice
The RC5™ Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and
#5,835,600.
© 2007-2008 RSA Security Inc. All rights reserved.
First printing: April 2008

www.rsa.com
www.rsa.com/legal/trademarks_list.pdf

Page 110

RSA Authentication Manager 7.1 Installation and Configuration Guide
To stop the RSA Authentication Manager services:

Note: Stop the primary instance. If you have server nodes, stop the server nodes
before stopping the primary instance.

Change directories to RSA_AM_HOME/server, and type:
./rsaam stop all

The following messages appear:
RSA Authentication Manager: [ OK ]
RSA Authentication Manager Proxy Server: [ OK ]
RSA Authentication Manager Cluster Administration Server:[OK ]
RSA Authentication Manager Node Manager: [OK]
RSA Authentication Manager Database Server: [ OK ]
RSA Authentication Manager Database Listener: [ OK ]
RSA Authentication Manager Node Manager: [ OK ]

Configuring Your Browser to Support the RSA Authentication
Manager Consoles

The Authentication Manager administrative interfaces (the RSA Security Console, the
RSA Operations Console, and the RSA Self-Service Console) are browser-based.
Before you can log on and administer Authentication Manager, you must configure
your browser to support the consoles as described in the following sections.

Enabling JavaScript
Before you log on, enable JavaScript.

Enabling JavaScript for Internet Explorer

To enable JavaScript:

1. In Internet Explorer, select Tools > Internet Options > Security.
2. Select the appropriate web content zone. If you use the default security level,

JavaScript is enabled.
3. If you use a custom security setting, click Custom Level, and do the following:

a. Scroll down to Miscellaneous > Use Pop-up Blocker, and select Disable.
b. Scroll down to Scripting > Active Scripting, and select Enable.
c. Scroll down to Scripting > Allow paste operations via script, and select

Enable.
d. Scroll down to Scripting > Scripting of Java Applets, and select Enable.
110 9: Performing Post-Installation Tasks

Page 111

RSA Authentication Manager 7.1 Installation and Configuration Guide
Enabling JavaScript for Mozilla Firefox
Generally, you do not need to enable JavaScript for Firefox. If JavaScript is disabled,
perform these steps:

To enable JavaScript:

1. Open the Firefox browser.
2. Click Tools > Options > Content.
3. Select Enable JavaScript.
4. Click OK.

Adding the RSA Security Console to Trusted Sites
If Internet Explorer is configured for enhanced security levels, you must add the
Security Console URL to the list of trusted sites.

To add the RSA Security Console to trusted sites:

1. In Internet Explorer, select Tools > Internet Options > Security.
2. Select the Trusted Sites icon, and click Sites.
3. Type the URL for the Security Console in the entry next to the Add button.
4. Clear Require server verification (https:) for all sites.
5. Click Add.

Logging On to the Consoles
You can access any of the three consoles by clicking the link on the desktop, or by
opening a supported browser and typing the URLs listed in the following table.

For example, if the fully qualified domain name of your Authentication Manager
installation is “host.mycompany.com”, to access the Security Console, you would
type the following in your browser:
https://host.mycompany.com:7004/console-ims

Note: On Windows systems, you can also access the Security Console by clicking
Start > Programs > RSA Security > RSA Security Console.

Console URL

RSA Security Console https://<fully qualified domain name>:7004/console-ims

RSA Operations Console https://<fully qualified domain name>:7072/operations-console

RSA Self-Service Console https://<fully qualified domain name>:7004/console-selfservice
9: Performing Post-Installation Tasks 111

Page 220

RSA Authentication Manager 7.1 Installation and Configuration Guide
security questions
definition, 207

self-service
definition, 207

Self-Service Console
definition, 206

self-service requests
definition, 207

self-service troubleshooting policy
definition, 207

server certificate and key, 47, 58, 64, 70
server node

connection to primary instance, 28, 29
definition, 207
fails to communicate, 157
function, 27
installation type, 24
installing, 61
removing, 145
test communication, 187

services
defined, 19
protocols used, 19

services, fail to start, 155
session

definition, 207
session policy

definition, 208
setting local time, 22
Setup Replication utility, 190
setup-replication command, 190
shipping address

definition, 208
Short Message Service

definition, 208
Simple Mail Transfer Protocol

definition, 208
Simple Network Management Protocol

definition, 208
single sign-on

definition, 208
SMS

definition, 208
SMTP

definition, 208
snap-in

definition, 208
SNMP agent

definition, 208
SNMP trap

definition, 208

SNMP. See Simple Network Management
Protocol

Solaris
requirements, 17

SSL
LDAP, 130
manage certificate, 183
post-installation tasks, 115

SSL LDAP, 18
SSL. See Secure Sockets Layer
SSO. See single sign-on
starting RSA Authentication Manager

services, 108
starting services

on Solaris and Linux, 109
on Windows, 108

stopping RSA Authentication Manager
services, 108

stopping services
on Solaris and Linux, 110
on Windows, 109

subnet, 27
Sun Java System Directory Server, 18
Super Admin

definition, 209
planning password, 30, 31, 33

supported browsers, 19
symmetric key

definition, 209
system

architecture, 23
components, 23
fingerprint, 180
logs, 155
required packages, 16

system event
definition, 209

system log
definition, 209

system requirements
Linux, 15
Microsoft Windows, 14
Solaris, 17

systemfields.properties, 30, 31, 33, 180

T
TACACS+. See Terminal Access Controller

Access Control System+
TCP ports, 30, 32, 33
temporary directory for installation logs, 30
220 Index

Page 221

RSA Authentication Manager 7.1 Installation and Configuration Guide
temporary fixed tokencode
definition, 209

test-multicast command, 187
time settings, 22
time synchronization, 22
time-based token

definition, 209
Token Distributor

definition, 209
token provisioning

definition, 209
tokencode

definition, 209
tokens

definition, 209
top-level security domain

definition, 210
trace log, 155

definition, 210
transfer

database package file, 72
replica package file, 55

troubleshooting
accessing installation files on a

network, 151
Collect Product Information utility, 173
message indicating Node Manager

Service is not started, 157
MMC Extension does not start, 157
multicast network communication

fails, 157
RSA Security Console fails to start, 156
Security Console times out when

searching for users, 158
server fails to start, 155
starting node manager, 157
unsuccessful authentication between

RADIUS and Authentication
Manager, 158

unsuccessful end-to-end authentication
on RADIUS, 158

unsuccessful installation, 152
unsuccessful installation or

removal, 152
trust package

definition, 210
trusted realm

definition, 210
two-factor authentication

definition, 210

two-pass CT-KIP
definition, 210

U
UDP ports, 30, 32, 33
UDP. See User Datagram Protocol
uninstall

primary database server, 148, 149
RADIUS server, 149
replica database server, 147

upgrade
primary instance, 84
replica instance, 95
server node, 102

upgrade from version 7.0 to 7.1, 84
URL to access the RSA Security

Console, 103
user and group data, 18
User Datagram Protocol

definition, 210
user groups

definition, 210
User ID

definition, 210
users

definition, 210
users and groups

accessing from LDAP directory, 23,
125

utility
Collect Product Information, 173
Data Migration, 175
Generate RADIUS Package, 178
Manage Nodes, 179
Manage Secrets, 180
Manage SSL Certificate, 183
Multicast Network Test, 187
Setup Replication, 190

V
version number, determining, 11

W
Windows registry settings, 30, 32, 33
Windows requirements, 14
workflow

definition, 210
workflow participant

definition, 211
Index 221

Similer Documents