RSA Authentication Manager 7.0 Installation and Configuration Guide

RSA Authentication Manager 7.0 Installation and Configuration Guide

Contact Information See the RSA corporate web site for regional Customer Support telephone and fax numbers. RSA Security Inc. www.rsa.com Trademarks RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, see www.rsasecurity.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies. License agreement This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA. Third-party licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Limit distribution of this document to trusted personnel. RSA notice The RC5 Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and #5,835,600.] 2007 RSA Security Inc. All rights reserved. First printing: January 2007

Contents Preface... 9 About This Guide...9 RSA Authentication Manager Documentation... 9 Tutorials...9 Related Documentation... 10 Getting Support and Service... 10 Before You Call Customer Support... 10 Chapter 1: Choosing Components for Installation...11 RSA Authentication Manager Components...11 Installation Types...11 Primary Instance... 12 Replica Instance... 12 Server Node... 14 LDAP Directory... 16 Chapter 2: Preparing for Installation... 17 System Requirements... 17 Supported Data Stores... 19 Supported Browsers... 19 Supported RSA Authentication Agents... 20 Licensing... 20 Maintaining Accurate System Time Settings... 20 Pre-Installation... 21 Pre-Installation Checklist for Windows... 21 Pre-Installation Checklist for Linux... 22 System Update Script for Linux... 25 Chapter 3: Identifying the Installation Process for Your Deployment Model... 27 Planning Your Deployment... 27 Deployment Process... 32 Example Deployments... 34 Small Deployment... 34 Medium Deployment... 35 Large Deployment... 37 Chapter 4: Installing an RSA Authentication Manager Primary Instance... 39 GUI-Based Installation... 39 Command Line Installation... 40 Contents 3

Silent Installation... 42 Creating a Response File from the Template... 42 Launching a Silent Installation... 43 Securing Backup Files... 43 Verifying the Installation... 43 Chapter 5: Installing a Replica Instance for Failover... 45 Preparing to Install a Replica Instance... 45 Synchronizing Clocks... 45 Creating a Replica Package File... 46 Transferring the Replica Package File... 47 GUI-Based Installation... 47 Command Line Installation... 49 Silent Installation... 50 Creating a Response File from the Template... 51 Launching a Silent Installation... 51 Rebalancing Contact Lists... 52 Securing Backup Files... 52 Verifying the Installation... 52 Chapter 6: Installing a Server Node for Improved Performance... 53 Preparing to Install a Server Node... 53 Creating a Node Package File... 53 Transferring the Node Package File... 54 GUI-Based Installation... 54 Command Line Installation... 56 Silent Installation... 57 Creating a Response File from the Template... 57 Launching a Silent Installation... 58 Securing Backup Files... 59 Verifying Server Node Function... 59 Chapter 7: Performing Post-Installation Tasks... 61 Additional Linux Configuration... 61 Backing Up a Standalone Primary Instance... 61 When To Perform a Backup... 62 Backing Up a Standalone Primary Instance on Windows... 62 Backing Up a Standalone Primary Instance on Linux... 63 Securing the Connection Between the Primary Instance and Replica Instances... 63 Starting RSA Authentication Manager Services... 63 Starting and Stopping RSA Authentication Manager Services on Windows... 64 Starting and Stopping RSA Authentication Manager Services on Linux... 65 Setting Up Automatic Start on Linux... 66 Logging On to the RSA Security Console... 66 Enabling JavaScript... 66 Adding the RSA Security Console to Trusted Sites... 67 4 Contents

System Security...67 Passwords and Keys in systemfields.properties... 67 Certificates and Keystores for SSL... 69 LDAP Certificates... 73 Legacy Compatibility Keystore... 73 Optional Proxy Servers for Remote Token Key Generation... 74 Adding a Proxy Server to Create Secure URLs... 74 Adding a Proxy Server for CT-KIP Failover... 74 Chapter 8: Accessing Users and Groups from an LDAP Directory... 75 Overview of LDAP Directory Integration... 75 Replica Instance Connections to Identity Sources... 78 Failover Directory Servers... 78 Integrating Active Directory Forest Identity Sources... 78 Preparing for Integration... 83 Setting Up SSL for LDAP... 83 Password Policy Considerations... 84 Supporting Groups... 84 Using the Initialize Identity Source Utility to Deploy Resource Adapters... 84 Deploying Resource Adapters... 85 Undeploying the Resource Adapters... 87 Modifying an Identity Source... 87 Enabling Identity Sources in the RSA Security Console... 88 Adding the Identity Source... 88 Linking an Identity Source to a Realm... 89 Verifying the LDAP Identity Source... 89 Removing an Identity Source... 90 Identifying Orphaned LDAP Users... 90 Chapter 9: Installing the Authentication Manager MMC Extension... 91 MMC Extension Overview... 91 System Requirements and Prerequisites... 91 Installation Process... 92 Installing the MMC Extension for Local Access... 92 Installing the MMC Extension for Remote Access... 92 Post-Installation... 93 Configuring Internet Explorer Security Settings... 94 Starting the Active Directory User and Computer Management Console... 94 Chapter 10: Removing RSA Authentication Manager... 95 Removing RSA Authentication Manager Servers... 95 Removing a Server Node... 95 GUI-Based Removal... 95 Command Line Removal... 96 Contents 5

Removing a Replica Database Server... 97 GUI-Based Removal... 97 Command Line Removal... 98 Manual Cleanup for Unsuccessful Removal... 98 Rebalancing Contact Lists... 99 Removing a Primary Database Server... 99 GUI-Based Removal... 99 Command Line Removal... 100 Appendix A: Troubleshooting... 101 Unsuccessful Installation or Removal... 101 Viewing Installation Logs... 101 Cleanup Script for Reinstallation (Windows Only)... 101 Cleanup for Linux Systems... 101 Obscured Error Messages... 102 Server Does Not Start... 102 RSA Security Console Does Not Start... 102 Using the Collect Product Information Utility... 102 LDAP Identity Source Integration Unsuccessful... 102 MMC Extension Does Not Start... 103 Multicast Network Communication Fails... 103 Message Indicates Node Manager Service Not Started... 104 Appendix B: Command Line Utilities... 105 Manage Secrets Utility... 105 Using the Manage Secrets Utility... 105 Option Flags for manage-secrets... 106 Collect Product Information Utility... 108 Using the Collect Product Information Utility... 108 Option Flags for collect-product-info... 108 Manage SSL Certificate Utility... 109 Using the Manage SSL Certificate Utility... 109 Option Flags for manage-ssl-certificate...111 Multicast Network Test Utility...114 Utility Messages...114 Examples...114 Using the Multicast Network Test Utility...115 Option Flags for test-multicast...115 Generate Replica Package Utility...116 Online and Offline Synchronization...116 Using the Generate Replica Package Utility...116 Option-Flags for gen-replica-pkg...117 Manage Nodes Utility...117 Using the Manage Nodes Utility...117 Option-Flags for manage-nodes...118 6 Contents

Glossary...119 Index... 135 Contents 7

Preface About This Guide Make sure that you have a basic understanding of your server platform, operating system version, and system peripherals. This guide is intended for network and security administrators who are responsible for installing and managing the RSA Authentication Manager software. RSA Authentication Manager Documentation For more information about RSA Authentication Manager 7.0, see the following documentation: Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. Getting Started. Lists what the kit includes (all media, diskettes, licenses, and documentation), specifies the location of documentation on the DVD or download kit, and lists RSA Security Customer Support web sites. Planning Guide. Provides a general understanding of RSA Authentication Manager, its high-level architecture, its features, and deployment information and suggestions. Installation and Configuration Guide. Describes detailed procedures on how to install and configure RSA Authentication Manager. Administrator s Guide. Provides information about how to administer users and security policy in RSA Authentication Manager 7.0. Developer s Guide. Provides information about developing custom programs using the RSA Authentication Manager 7.0 application programming interfaces (APIs). Includes an overview of the APIs and Javadoc for Java APIs. Authentication Manager Help. Describes day-to-day administration tasks performed in the RSA Security Console. To view Help, click the Help tab on the RSA Security Console. Tutorials The following interactive tutorials are included on the RSA Authentication Manager 7.0 DVD or in the download kit: ConsoleAdministration. Provides Overview and How-To information about the tasks you can perform on the RSA Security Console. You can also access this tutorial from the RSA Security Console by clicking Help > Console Tutorial. SecurIDToken_HowTo. Describes the steps to authenticate using various RSA SecurID tokens. This tutorial can be provided to end users as a training tool. To view these tutorials, you must have Adobe Flash Player 8 or later. To download the viewer, go to http://www.adobe.com/products/flashplayer/. Preface 9

Related Documentation RSA Authentication Agent 6.1.1 Special Edition for Microsoft Windows documentation set. This documentation set is included with the Authentication Agent software. RSA Authentication Agent 6.1.1 Special Edition for Microsoft Windows works with RSA Authentication Manager 7.0 to protect your company s local Windows desktops. Getting Support and Service RSA SecurCare Online Customer Support Information RSA Secured Partner Solutions Directory https://knowledge.rsasecurity.com www.rsasecurity.com/support www.rsasecured.com RSA SecurCare Online offers a Knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads. The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA Security products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA Security products with these third-party products. Before You Call Customer Support Make sure you have access to the computer running the RSA Authentication Manager software. Please have the following information available when you call: Your RSA Security License ID. You can find this number on your license distribution media, or in the RSA Security Console by clicking Setup > Licenses > Manage Existing, and then clicking View Installed Licenses. The Authentication Manager software version number. You can find this in the RSA Security Console by clicking Help > About RSA Security Console > See Software Version Information. The names and versions of the third-party software products that support the Authentication Manager feature on which you are requesting support (operating system, data store, web server, and browser). The make and model of the machine on which the problem occurs. 10 Preface

1 Choosing Components for Installation RSA Authentication Manager Components Installation Types LDAP Directory RSA Authentication Manager Components Understand the Authentication Manager components before you choose an installation type. Authentication Server. The server that handles runtime authentication operations. Internal database. The database required for policy data, which can optionally contain all user and group data also. RSA Security Console. The web application for administering the system. (optional) LDAP identity source. Provides access to user and group data residing in LDAP directories. This set of Authentication Manager components alone is not sufficient for authentication operations. Your system must include authentication agents and other front-end components that are typically configured following the installation of Authentication Manager. See agent documentation at https://knowledge.rsasecurity.com. Installation Types At installation time, you must select an installation type. The installer creates differently configured combinations of Authentication Manager components on your system depending on which type of installation you choose: primary instance, replica instance, or server node. The installer also provides an option to install only Authentication Manager documentation and the Software Development Kit (SDK). Installation Type Authentication Server Internal Database RSA Security Console Primary Instance X X X Replica Instance X X X Server Node X X Documentation and SDK 1: Choosing Components for Installation 11

Primary Instance An instance is a single database server, or a database server and one or more server nodes, acting as a single cohesive processing unit. The primary instance serves as the central point for administration and data storage in the system. You can add additional server nodes to a primary instance to improve performance. Also, you can connect your primary instance with replica instances that provide redundancy and failover. Note: You must have an Advanced license to install server nodes. Server nodes are not available with a Base license. The following figure shows a primary instance with no additional server nodes. The components installed on your database server machine by the installation type Authentication Manager Primary Instance are shown on the gray background. Primary Instance Database Server ` HTTPS Browser-based access to RSA Security Console RSA Security Console Internal Database ` ` ` UDP Authentication Agents Authentication Clients (not installed by Authentication Manager installer) Authentication Server Replica Instance This installation procedure is described in Chapter 4, Installing an RSA Authentication Manager Primary Instance. A replica instance provides redundancy for geographical distribution and for failover. A replica instance is dependent on a primary instance and cannot perform administrative functions independently. It can, however, connect independently to its own server nodes to provide runtime authentication. 12 1: Choosing Components for Installation

The following figure shows a replica instance together with the primary instance on which it depends. The components installed on your database server machine by the installation type Authentication Manager Replica Instance are shown on the gray background. Primary Instance Database Server ` HTTPS Browser-based access to RSA Security Console RSA Security Console Internal Database ` ` ` UDP Authentication Agents (not installed by Authentication Manager installer) Authentication Server Data Replication Replica Instance ` HTTPS Read-only access to RSA Security Console Read-only RSA Security Console Internal Database ` ` ` UDP Authentication Agents (not installed by Authentication Manager installer) Authentication Server Database Server The replica instance installation creates the same components on the database server as the primary instance installation, but it configures them differently: The replica database server is configured to listen for administrative data replication from the primary database server. It logs its runtime operations to the primary database server. The Security Console installed with the replica instance is limited to read-only operations. 1: Choosing Components for Installation 13

Server Node To link a replica instance to a primary instance, you must first install the primary instance and then gather data from it for use in the replica instance installation. This process and all other replica instance installation details are described in Chapter 5, Installing a Replica Instance for Failover. A server node is a host that depends on a primary or replica database server. It handles operations in the same LAN subnet and provides improved agent authentication performance and failover. Note: You must have an Advanced license to install server nodes. Server nodes are not available with a Base license. 14 1: Choosing Components for Installation

The following figure shows a primary instance with two additional server nodes. You can add server nodes to a replica instance in the same way. The components installed on your server node machines by the installation type Authentication Manager Server Node are shown on the gray background. ` Browser-based access to RSA Security Console HTTPS Server Node Primary Instance Authentication Server UDP RSA Security Console RSA Security Console Database Server ` ` ` Server Node Internal Database Authentication Agents (not installed by Authentication Manager installer) Authentication Server UDP RSA Security Console Authentication Server UDP The Security Consoles shown on the server nodes receive requests distributed by the proxy service on the primary database server. In a typical configuration, browser access to the Security Console is directed to this proxy service at port 7004 on the primary instance database server. To link a server node to a primary or replica database server, you must first install the primary or replica instance and then gather data from it for use in the server node installation. This process and all other server node installation details are described in Chapter 6, Installing a Server Node for Improved Performance. 1: Choosing Components for Installation 15

LDAP Directory If it is part of your deployment plan, configure Authentication Manager to use your organization s LDAP directory to access your user data. Authentication Manager modifies certain existing user data fields in the LDAP directory only if you allow it. Those data fields include a user s first and last name, e-mail address, and password. After installation, you can run the Initialize Identity Source utility and perform certain Security Console tasks to create a data connection between your LDAP directory and Authentication Manager. You must specify a base DN that contains all users in your LDAP directory who you want to be Authentication Manager users or administrators. For instructions on how to run the utility, see Chapter 8, Accessing Users and Groups from an LDAP Directory. The following examples describe how to specify the base DN and user branch to include all users for two different LDAP configurations. Example 1 All users reside in one container in the LDAP directory. Specify dc=company,dc=com as the base DN. Specify the container ou=people as the user branch. dc =company,dc=com (base DN) ou=people (user branch ) your users Example 2 Users reside in multiple containers within a common container. Specify dc=company,dc=com as the base DN. Specify the container ou=northamerica as the user branch. dc=company,dc =com (base DN) ou=northamerica (user branch ) ou=sales your users ou=research your users 16 1: Choosing Components for Installation

2 Preparing for Installation System Requirements Pre-Installation System Requirements Make sure your system meets these requirements for supported platform and system components. Note: Machines hosting the primary instance, replica instances, and server nodes must all use the same operating system. Important: In a multi-node deployment, performance and scalability are affected by the hardware on which the database server and server nodes are installed. The database server handles authentication requests from the server nodes, as well as administration connections through the server nodes. The primary instance database server has the additional burden of handling all replication to and from the replica instances. In terms of CPU speed, memory, and disk speed, RSA Security recommends that the database server be significantly more powerful than the server nodes, and that the primary instance database server be the most powerful machine in your deployment. Windows System Requirements Operating System Hardware Disk Space Memory Requirements Page File Microsoft Windows Server 2003 Enterprise, SP1 (32-bit) Intel Xeon 2.8 GHz or equivalent 60 GB free space recommended 20 GB free space minimum Disk space usage depends on the scale of your deployment. With high numbers in excess of 1,000,000 token users, logging and archiving may take up greater amounts of space. Important: Do not allow all disk space to become consumed. At that point, Authentication Manager may stop operating and be difficult to restore. 2 GB 2 GB 2: Preparing for Installation 17

Linux System Requirements Operating System Red Hat Enterprise Linux 4.0-1 ES (32-bit x86) Hardware Disk Space Memory Requirements Swap Space Kernel Version Kernel Parameters Packages (RPM) Intel Xeon 2.8 GHz or equivalent 60 GB free space recommended 20 GB free space minimum Disk space usage depends on the scale of your deployment. With high numbers in excess of 1,000,000 token users, logging and archiving may take up greater amounts of space. Important: Do not allow all disk space to become consumed. At that point, Authentication Manager may stop operating and be difficult to restore. 2 GB 2 GB 2.6.9-22.EL and later Maximum shared memory must be at least 256 MB The following packages (or later versions) must be installed: binutils-2.15.92.0.2-12 compat-db-4.1.29-5 compat-libstdc++-296.2.9.6-132.7.2 coreutils 5.2.1-31.2 or later control-center-2.8.0-12 gcc-3.4.3-22.1 gcc-c++-3.4.3-22.1 gnome-libs-1.4.1.2.90-44.1 glibc-common-3.4.3-22.1 glibc-2.3.2-95.20 initscripts 7.93.20 or later libstc++-3.4.3-22.1 libaio-0.3.96 make-3.80-5 libstc++-devel-3.4.3-22.1 pdksh-5.2.14-30 setarch-1.6-1 sysstat-5.0.5-1 xscreensaver-4.18-5 Note: To check your RPM versions on Linux, use the command, rpm -q package name. 18 2: Preparing for Installation

Supported Data Stores Supported Browsers Authentication Manager uses two categories of data: Policy data User and group data For Authentication Manager, data can be stored in: The internal database One or more LDAP directories (called an identity source within Authentication Manager) If you use only the internal database, both the policy data and the user and group data is stored there. If you integrate Authentication Manager with identity sources that hold your existing user and group data, only the policy data is stored in the internal database. Internal Database Authentication Manager is installed with an internal database. The internal database contains all application and policy data, and you may choose to store user and group data in it. Identity Sources Authentication Manager supports the use of an external LDAP directory for user and group data. Supported LDAP directories are: Sun Java System Directory Server 5.2, SP 3 Microsoft Active Directory 2003, SP 1 Note: Active Directory Application Mode (ADAM) is not supported. Sun Java System Directory Server can be located on the same machine as Authentication Manager or on a different machine. However, both machines must be on the same network. Active Directory must be located on a different machine. Authentication Manager LDAP integration does not modify your existing LDAP schema, but rather creates a map to your data that Authentication Manager uses. The use of SSL-LDAP requires that the appropriate certificate and key are accessible by Authentication Manager. This section describes the browsers supported for the RSA Security Console. Browser support differs between Windows and Linux platforms. On Windows Internet Explorer 6.0 with SP2 Firefox 1.0.7 and later 2: Preparing for Installation 19

On Linux Firefox 1.0.7 and later Note: On all browsers, JavaScript must be enabled. Internet Explorer may require configuration depending on your security level. For instructions on enabling JavaScript, see Logging On to the RSA Security Console on page 66. Supported RSA Authentication Agents You install RSA Authentication Agents on the resources that you want to protect, such as local computers, terminal servers, and web servers. RSA Authentication Agents receive authentication requests and forward them to Authentication Manager through a secure channel. Based on the response from Authentication Manager, agents either allow the user to log on or deny the user access. Authentication Manager is compatible with these RSA Authentication Agents: RSA Authentication Agent 6.1.1 Special Edition for Microsoft Windows RSA Authentication Agent 5.3 for Web for Internet Information Services RSA Authentication Agent 5.3 for Web for Apache RSA Authentication Agent 5.3 for Web for Sun Java System RSA Authentication Agent 5.3.4 for PAM RSA ACE/Agent 5.2 for UNIX You can download Agents from the RSA Authentication Agent software page at https://www.rsasecurity.com/node.asp?id=1174. Licensing Before you install Authentication Manager, make sure you have a valid Authentication Manager license close at hand. RSA Security provides the license files separately from your RSA Authentication Manager 7.0 DVD or download kit. The license allows you access to certain functionality and limits the number of users that can be registered. The license file is accompanied by a server key and certificate that are used to verify (authenticate) the identity of the server. Maintaining Accurate System Time Settings Authentication Manager relies on standard time settings known as Coordinated Universal Time (UTC). The time, date, and time zone settings on computers running Authentication Manager must always be correct in relation to UTC. 20 2: Preparing for Installation

Make sure that the time on the computer on which you are installing Authentication Manager is set to the local time and corresponds to the UTC. For example, if UTC is 11:43 a.m. and Authentication Manager is installed on a computer in the Eastern Standard Time Zone in the United States, make sure the computer clock is set to 6:43 a.m. This differs during daylight savings time. To get the correct UTC, see www.time.gov. Note: If you employ an NTP service, enable it on the primary instance database server only. This database server typically maintains the replica instance time synchronization automatically. Pre-Installation This section describes important pre-installation tasks required to prepare your system for installation. Carefully review the pre-installation checklist for your platform. Pre-Installation Checklist for Windows on page 21 Pre-Installation Checklist for Linux on page 22 System Update Script for Linux on page 25 Pre-Installation Checklist for Windows Before installing Authentication Manager, review the Release Notes, which contain important configuration and installation information. You must have: A machine that meets all the hardware, disk space, memory, and platform requirements described in Windows System Requirements on page 17. Local administrator privileges on the machine. A static IP address. DHCP is not supported. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. A password between 8 and 32 characters including at least six alphabetic characters and one non-alphanumeric character. @ and ~ are excluded. This case-sensitive password is used in Authentication Manager for the Super Admin password as well as the master password for initial access to protect the vault containing important system passwords. You can change both passwords after installation if desired. See Passwords and Keys in systemfields.properties on page 67. A temporary directory defined on the host machine. The TEMP variable must be defined, or the installer fails. Installation logs are copied to this directory. 2: Preparing for Installation 21

The following entry in %WINDIR%\system32\drivers\etc\hosts: 127.0.0.1 localhost.localdomain localhost If this entry does not exist, you must add it before installing Authentication Manager. Enter the entire line exactly as shown. You must: Verify that the host machine does not have an existing installation of RSA Authentication Manager or RSA ACE/Server. An existing installation of any version of these products must be uninstalled before you proceed with the new installation. Verify that the host does not have an existing installation of Oracle. An existing Oracle database server must be uninstalled before you proceed with the new installation, which includes an internal database. Verify that these TCP ports are available for the installed Authentication Manager components: 5550 - agent auto-registration 5580 - offline authentication 2334 - internal database 7002 - RSA Security Console (secure connection) 7004 - RSA Security Console proxy server (secure connection) 7006 - WebLogic administration console/ssl 7008 - WebLogic administration console/ssl 7012 - RSA Security Console/SSL 7014 - RSA Security Console proxy server/ssl Verify that these UDP ports are available for the installed Authentication Manager components: 1161 - SNMP Agent 1162 - SNMP Agent 5500 - agent authentication Perform a reverse lookup on the IP address where you will install Authentication Manager. Make sure the IP address maps to one hostname. If it maps to more than one hostname, you must modify your DNS server configuration settings. If you are using network storage, make sure the disk is mounted at the same location on all nodes in the cluster. Back up your Windows registry settings prior to installation. Pre-Installation Checklist for Linux You must perform these Linux pre-installation tasks prior to proceeding with the installation. 22 2: Preparing for Installation

You must have: A machine that meets all the hardware, disk space, memory, and platform requirements described in Linux System Requirements on page 18. Local administrator privileges on the machine. A static IP address. DHCP is not supported. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. A password between 8 and 32 characters including at least six alphabetic characters and one non-alphanumeric character. @ and ~ are excluded. This case-sensitive password is used in Authentication Manager for the Super Admin password as well as the master password for initial access to protect the vault containing important system passwords. You can change both passwords after installation if desired. See Passwords and Keys in systemfields.properties on page 67. The following entry in your /etc/hosts file: 127.0.0.1 localhost.localdomain localhost If this entry does not exist, you must add it before installing Authentication Manager. Enter the entire line exactly as shown. Note: This entry must not contain the hostname that will be used for Authentication Manager configuration. Make sure it only contains localhost and localhost.localdomain. You must: Create a new user with write permission to the installation location. The default installation location is /usr/local/rsasecurity/rsaauthenticationmanager. Do not run the installation as root user. Verify that the host machine does not have an existing installation of RSA Authentication Manager or RSA ACE/Server. An existing installation of any version of these products must be uninstalled before you proceed with the new installation. Verify that the host does not have an existing installation of Oracle. An existing Oracle database server must be uninstalled before you proceed with the new installation, which includes an internal database. Verify that these TCP ports are available for the installed Authentication Manager components: 5550 - agent auto-registration 5580 - offline authentication 2334 - internal database 7002 - RSA Security Console (secure connection) 2: Preparing for Installation 23

7004 - RSA Security Console proxy server (secure connection) 7006 - WebLogic administration console/ssl 7008 - WebLogic administration console override/ssl 7012 - RSA Security Console/SSL 7014 - RSA Security Console proxy server/ssl Verify that these UDP ports are available for the installed Authentication Manager components: 1161 - SNMP Agent 1162 - SNMP Agent 5500 - agent authentication Set or verify the following configuration attributes in your configuration files prior to installation. You may find it more convenient to make these changes as root user and reboot once before beginning the installation process. If any of these parameters are not set properly, the Linux installer dynamically creates a script to correct them and prompts you to run the script as root user before proceeding with the installation. In /etc/sysctl.conf, add: 'kernel.sem' is set to: '250 32000 32 128' Note: These kernel semaphore parameters are minimum values. If you have already set them to a higher value, they do not need to be changed. In /etc/security/limits.conf, add: user soft nproc 2047 user hard nproc 16384 user soft nofile 1024 user hard nofile 65536 where user is the User ID for the user installing Authentication Manager. In /etc/pam.d/login, add: session required /lib/security/pam_limits.so Perform a reverse lookup on the IP address where you will install Authentication Manager. Make sure the IP address maps to one hostname. If it maps to more than one hostname, you must modify your DNS server configuration settings. If running the GUI-based installer on Linux, you must set the DISPLAY environment variable to point to a valid X Windows server, for example: export DISPLAY=..etc If you are using network storage, make sure the disk is mounted at the same location on all server nodes in the cluster. 24 2: Preparing for Installation

System Update Script for Linux On Linux, the installer checks your system for issues that can block a successful installation. If the installer determines that any system parameters require updating, it creates a script to update the parameters in /tmp/rsa_am_timestamp/. If your system requires updating, the installer presents you with the following options: Exit the installer, and run the system update script as root. If the script instructs you to do so, log off and log on again before you proceed with the installation. Continue anyway, without running the script or doing updates. Select this option to enable the Next button, and proceed with the installation. Important: Select the option to continue anyway only if you are certain the installation will not fail. This option is best used under consultation with RSA Customer Support or Professional Services. 2: Preparing for Installation 25

3 Identifying the Installation Process for Your Deployment Model Planning Your Deployment Deployment Process Example Deployments Planning Your Deployment Before installing any Authentication Manager component, make sure you know the details of your overall deployment. RSA Security strongly recommends that you read the Planning Guide and complete a planning checklist, as shown below, before beginning your installation. Pre-Installation Element Description Your Plan License type Platform Base Advanced Windows Linux Master password Installation Element Description Your Plan Primary instance Physical location Name and IP address of the database server 3: Identifying the Installation Process for Your Deployment Model 27

Name and IP address of any server nodes Replica instances Number of instances Physical location(s) Name and IP address of the database server Name and IP address of any server nodes Identity Source Configuration Element Description Your Plan 28 3: Identifying the Installation Process for Your Deployment Model

Identity source(s) LDAP Number and type For example: RSA Authentication Manager internal database Active Directory Active Directory forests Sun Java System Directory Server URL of the LDAP identity source User defined unique identity source name LDAP server user name LDAP server password URL of the failover identity source (optional) Authentication Manager administrator user name Authentication Manager administrator password Administrative Configuration Element Description Your Plan Realm Number Names Security domains Top-level name Lower-level names 3: Identifying the Installation Process for Your Deployment Model 29

Token(s) Number and type For example: RSA SecurID token RSA Smart Card RSA SecurID Software Toolbar Token RSA USB token Contact person for obtaining token seed records Policies Number of custom policies Names of security domains requiring custom policies Method of PIN creation For example: System-generated User-generated Length of PINs (4-8 characters) Character restrictions on PINs Number of failed authentication attempts allowed before user lockout Method of unlocking locked user. For example: Automatically Manually Password lifetime Maximum and minimum password length 30 3: Identifying the Installation Process for Your Deployment Model

Post-Installation Number of restricted old passwords Excluded words dictionary Character restrictions on password Lifetime of Emergency Access Tokencodes Behavior of Emergency Access Tokencode when token is recovered For example: Deny authentication with the token Allow authentication with the token and disable the Emergency Access Tokencode Allow authentication with the token only after the Emergency Access Tokencode expires Element Description Your Plan Resources to protect Agents For example: File servers Databases Identity sources Number Physical location of agents 3: Identifying the Installation Process for Your Deployment Model 31

Name and IP address of agents Deployment Process Make sure you understand the decision points and tasks required by the Authentication Manager deployment process. Depending on your needs, your deployment may require multiple replica instance or server node installation tasks. The following figure is only a general guide. Note: You must have an Advanced license if you need to install more than one replica instance. 32 3: Identifying the Installation Process for Your Deployment Model

Start Install Primary Instance Chapter 4 No Add Server Nodes? (Advanced License Required) Yes Install Server Node(s) Chapter 6 No Install Replicas? Yes Install Replica(s) Chapter 5 No Add Server Nodes? (Advanced License Required) Yes Install Server Node(s) Chapter 6 No Add Users from LDAP? Yes Adding Users and Groups from an LDAP Directory Chapter 8 End 3: Identifying the Installation Process for Your Deployment Model 33

Example Deployments Review theses example deployments, choose the deployment that best fits your company s requirements, and refer to the related sections. The examples in the following sections provide a high-level view of the steps required to install different types of deployments. Your specific deployment may combine aspects of more than one example. Small Deployment Medium Deployment Large Deployment Note: These examples are based on detailed planning scenarios described in the Planning Guide. Small Deployment This example deployment illustrates the installation of a primary instance with a replica instance for failover. Primary Instance Replica Instance Database Server Internal Database (Data Replication) Internal Database Database Server Task See 1. Verify that all Authentication Manager machines meet the system requirements. 2. Install the primary instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. 3. Install the replica instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. Chapter 2, Preparing for Installation Chapter 4, Installing an RSA Authentication Manager Primary Instance Chapter 5, Installing a Replica Instance for Failover 34 3: Identifying the Installation Process for Your Deployment Model

Task 4. Perform post-installation tasks to prepare the RSA Security Console for administration. See Chapter 7, Performing Post-Installation Tasks Medium Deployment This example deployment illustrates installing a primary instance with an additional server node and LDAP integration, and then a replica instance with an additional server node for failover. Primary Instance Replica Instance Database Server Internal Database (Data Replication) Internal Database Database Server Server Node Server Node Active Directory Task See 1. Verify that all Authentication Manager machines meet the system requirements. 2. Install the primary instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. 3. Install a server node. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. Note: Repeat this process for each server node you want to install. Chapter 2, Preparing for Installation Chapter 4, Installing an RSA Authentication Manager Primary Instance Chapter 6, Installing a Server Node for Improved Performance 3: Identifying the Installation Process for Your Deployment Model 35

Task 4. Install the replica instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. 5. Install a server node on the replica instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. Note: Repeat this process for each server node you want to install. 6. Perform post-installation tasks to prepare the Security Console for administration. 7. Integrate your existing LDAP directory as the authoritative user and group identity source. See Chapter 5, Installing a Replica Instance for Failover Chapter 6, Installing a Server Node for Improved Performance Chapter 7, Performing Post-Installation Tasks Chapter 8, Accessing Users and Groups from an LDAP Directory 36 3: Identifying the Installation Process for Your Deployment Model

Large Deployment This example deployment extends the medium business deployment by adding replica instances at additional sites as well as a heterogeneous LDAP environment that includes Sun Java System Directory Server and Microsoft Active Directory. Site 1 Site 2 Primary Instance (Data Replication Among All Internal Databases) Replica Instance Replica Instance Site 3 Replica Instance Database Server Internal Database Internal Database Database Server Internal Database Database Server Internal Database Database Server Server Node Server Node Server Node Server Node Active Directory Active Directory Sun Java System Directory Server Active Directory Global Catalog. Task 1. Verify that all Authentication Manager machines meet the system requirements. 2. Install the primary instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. 3. Install a server node. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. Note: Repeat this process for each server node you want to install. 4. Install the replica instance. Be sure to secure backup files, and verify that the installation was successful by performing a test authentication after completing the installation. See Chapter 2, Preparing for Installation Chapter 4, Installing an RSA Authentication Manager Primary Instance Chapter 6, Installing a Server Node for Improved Performance Chapter 5, Installing a Replica Instance for Failover 3: Identifying the Installation Process for Your Deployment Model 37

Task 5. Install a server node on the replica instance. Be sure to secure backup files and verify that the installation was successful by performing a test authentication after completing the installation. Note: Repeat this process for each server node you want to install. 6. Perform post-installation tasks to prepare the Security Console for administration. 7. Integrate your existing LDAP directory as the authoritative user and group identity source. See Chapter 6, Installing a Server Node for Improved Performance Chapter 7, Performing Post-Installation Tasks Chapter 8, Accessing Users and Groups from an LDAP Directory 38 3: Identifying the Installation Process for Your Deployment Model

4 Installing an RSA Authentication Manager Primary Instance GUI-Based Installation Command Line Installation Silent Installation Securing Backup Files Verifying the Installation GUI-Based Installation Use the GUI-based installer if you prefer standard graphical screens to assist you through the process. Installation time varies depending on system speed and memory. Make sure you allow at least one hour to perform the installation. To install Authentication Manager using the GUI-based installer: 1. Locate and launch the installer for your platform: auth_mgr\win32-x86\setup.exe (Windows) auth_mgr/linux-x86/setup.sh (Linux) 2. Respond to the prompts for Welcome, Select Region, License Agreement, and Choose Destination Location. 3. Select Authentication Manager Primary Instance. Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See System Update Script for Linux on page 25. Note: If you want to change the installation type at a later date, you must uninstall the existing Authentication Manager and reinstall it using the new installation type. Installation types are described in Installation Types on page 11. 4: Installing an RSA Authentication Manager Primary Instance 39

4. The installer displays the hostname and IP address that will be used for installation. Check this information. Click OK > Next if it is the expected hostname and IP address. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. 5. Locate the folder that contains your Authentication Manager license file, server key, and certificate files. Click Browse to find and select this folder on the installation host (the files in the folder are not displayed). Click Next, and verify the license information. The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server. 6. At the prompt, enter and confirm a Super Admin and master password. The value you enter is used for both the initial Super Admin password and the password for operations such as installing a replica instance or handling security certificates. The password must be between 8 and 32 characters and include at least six alphabetic characters and one non-alphanumeric character. @ and ~ are excluded. 7. Review the summary screen, verifying the features you have selected and the disk space required. 8. To begin copying Authentication Manager files, click Install. The installer begins copying files and displays a progress indicator. 9. Click Finish to close the installer. Unless you clear the checkboxes for opening the Release Notes and Security Console, these will open in your default browser after you click Finish. 10. When prompted by your browser, accept the certificate for the Security Console. As part of the normal installation, the installer creates a certificate authority and uses it to sign the Security Console browser certificate. 11. Continue to Securing Backup Files on page 43 to perform important post-installation tasks. If you encounter any problems installing Authentication Manager, see Appendix A, Troubleshooting. Command Line Installation Use the command line installation if you prefer a command interface or if you intend to run the installation through a script. The prompts for command line installation are displayed with instructions on how to proceed or select options. Enter 1 to proceed, 3 to cancel, and 5 to redisplay. 40 4: Installing an RSA Authentication Manager Primary Instance

To install Authentication Manager using the command line installer: 1. From a command prompt, change to the directory containing the installer: auth_mgr\win32-x86\setup.exe (Windows) auth_mgr/linux-x86/setup.sh (Linux) 2. Enter the appropriate command for your platform: For Windows, type: setup.exe -console For Linux, type:./setup.sh -console 3. Respond to the prompts for Select Region, License Agreement, and Choose Destination Location. Note: If you are not automatically taken to the next prompt, type 0. 4. Select Authentication Manager Primary Instance. Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See System Update Script for Linux on page 25. 5. The installer displays the hostname and IP address that will be used for installation. Check this information, and select 1 if it is the expected hostname and IP address. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. 6. Enter the name of the folder that contains your Authentication Manager license file, server key, and certificate files. The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server. 7. At the prompt, enter and confirm a Super Admin and master password. The value you enter is used for both the initial Super Admin password and the password for operations such as installing a replica instance or handling security certificates. The password must be between 8 and 32 characters and include at least six alphabetic characters and one non-alphanumeric character. @ and ~ are excluded. 4: Installing an RSA Authentication Manager Primary Instance 41

8. Review the summary screen, verifying the features you have selected and the disk space required. Once you proceed from this screen, the installer begins copying files and displays a progress indicator. To cancel the installation, enter 3, and respond 1 (Yes) to the prompts to remove installer files. 9. When the installer displays a message indicating successful installation, continue to Securing Backup Files on page 43 to perform important post-installation tasks. If you encounter any problems installing Authentication Manager, see Appendix A, Troubleshooting. Silent Installation For a silent installation, you must: Locate the appropriate response file template for your installation type (primary instance, replica instance, or server node), edit it with your actual values, and save it as a response file. Launch the installer with arguments that specify silent and point to the response file. These tasks are described in the following sections. Creating a Response File from the Template Locate the following response file templates in resource/silent_install/: primary_template.txt replica_template.txt node_template.txt To create a response file from the template: 1. Open the appropriate template file for your installation type. 2. Enable settings in the template by removing the leading ### characters from each line of text (search to find the settings you can change). 3. Specify values for enabled settings by replacing the characters '<value>' with the actual value for that setting. See the manual installation chapter for your installation type. For example, refer to Chapter 4, Installing an RSA Authentication Manager Primary Instance when editing primary_template.txt. 4. Save your changes with a new filename. This filename is required in the next step, launching a silent installation. 42 4: Installing an RSA Authentication Manager Primary Instance

Launching a Silent Installation To perform a silent installation, add -silent -options response_file to your installation command. GUI-Based Windows Example: setup.exe -silent -options response1.txt Command Line Windows Example: setup.exe -console -silent -options response1.txt GUI-Based Linux Example: setup.sh -silent -options response1.txt Command Line Linux Example: setup.sh -console -silent -options response1.txt Note: If you use the GUI-based installer for silent installation, the screens are displayed with the response file values in place of the defaults, which may be manually overridden. Securing Backup Files The installer automatically backs up a list of important files to RSA_AM_HOME/backup. Immediately after installation, move the backup directory to a secure location. Important: For highest security, store SYSTEM.SRK, included in your backup folder, on removable media. Retrieve this private key only for disaster recovery. Verifying the Installation To verify that the installation was successful: 1. Access the Security Console web application from supported browsers by entering the Security Console URL as shown: https://fully qualified domain name:7004/console-ims/ For example, if the fully qualified domain name of your Authentication Manager installation is host.mycompany.com, type the following in your browser: https://host.mycompany.com:7004/console-ims 2. Log on to the Security Console using your password. 4: Installing an RSA Authentication Manager Primary Instance 43

5 Installing a Replica Instance for Failover Preparing to Install a Replica Instance GUI-Based Installation Command Line Installation Silent Installation Rebalancing Contact Lists Securing Backup Files Verifying the Installation Preparing to Install a Replica Instance Synchronizing Clocks Gather information from the primary database server, and make it available to the replica database server host. Perform these steps: 1. Synchronize the clocks between the machines hosting the primary and replica instances. See the following section, Synchronizing Clocks. 2. Create a replica package file from the primary database server using the Generate Replica utility. Optionally, your replica package may contain data for offline synchronization. For instructions, see Creating a Replica Package File on page 46. Online synchronization transfers all data from the primary instance database server to the replica instance over a network connection. Offline synchronization transfers only administrative data. The replica instance is initialized with the data from the replica package. You can use this method only if you generated a primary data file. 3. Transfer the replica package file to the target host. Each package file is unique, functioning properly only on the host specified during its creation. For instructions, see Transferring the Replica Package File on page 47. You must ensure that the clocks for the primary instance and replica instance are synchronized. For Windows systems, type the following command at all replica instances: NET time \\primarycomputername /set For Linux systems, type the following command at all replica instances: net time set -S primarycomputername 5: Installing a Replica Instance for Failover 45

Creating a Replica Package File For complete detail on replica utility commands, run rsautil gen-replica-pkg --help from a command prompt in RSA_AM_HOME/utils/. With the optional argument -- generate-data, or -g, you can include, in the package, a data file containing all the relevant data from the primary instance database server offline synchronization. If your system has been active long enough to accumulate a large amount of data, and the connection speed between your primary instance database server and replica instance database server host is limited, you might decide to use offline synchronization to speed up your replica instance deployment. Important: Generating a data file requires up to two times the disk space used by the data. Important: You must use the replica package within seven days after it is created. If you do not use it within seven days, you must create a new replica package. To create a replica package for offline synchronization: 1. From a command prompt on the host of the primary instance database server, change directories to RSA_AM_HOME/utils/. 2. Enter the command: rsautil gen-replica-pkg -t hostname [-u admin_username][-g] where: hostname is the fully qualified hostname of the replica database server host. admin_username is the Super Admin user name. The default is admin. -g indicates that you want to generate the primary data file as part of the replica package, to use for offline synchronization during installation. 3. If you did not enter -g, when prompted, indicate if you will use offline synchronization. 4. Enter the Super Admin password when prompted. 5. Enter your master password when prompted. By default, this is the same as the Super Admin password, unless the Super Admin password was changed after installation. The message Successfully generated hostname-replica.pkg appears. The replica package will be output to the current directory as hostname-replica.pkg. For more information on the Generate Replica Package utility, see Appendix B, Command Line Utilities. 46 5: Installing a Replica Instance for Failover

Transferring the Replica Package File Once you have used the Generate Replica Package utility on the primary instance database server to create a replica package, transfer it to the target host. RSA Security recommends that you transfer the package through a secure network or by removable media. Note the location on the target host where you copy the package. This information, along with the master password, is required during installation. GUI-Based Installation Use the GUI-based installer if you prefer standard graphical screens to assist you through the process. Installation time varies depending on system speed and memory. Make sure you allow at least one hour to perform the installation. Important: When you install multiple replica instances, you must install them serially. Do not attempt to install them in parallel. To install Authentication Manager using the GUI-based installer: 1. Locate and launch the installer for your platform: auth_mgr\win32-x86\setup.exe (Windows) auth_mgr/linux-x86/setup.sh (Linux) 2. Respond to the prompts for Welcome, Select Region, License Agreement, and Choose Destination Location. 3. Select Authentication Manager Replica Instance. Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See System Update Script for Linux on page 25. Note: If you want to change the installation type at a later date, you must uninstall the existing Authentication Manager and reinstall it using the new installation type. Installation types are described in Installation Types on page 11. 5: Installing a Replica Instance for Failover 47

4. The installer displays the hostname and IP address that will be used for installation. Check this information. Click OK > Next if it is the expected hostname and IP address. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. 5. Locate the folder that contains your Authentication Manager license file, server key, and certificate files. Click Browse to find and select this folder on the installation host (the files in the folder are not displayed). Click Next, and verify the license information. The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server. 6. Review the summary screen, verifying the features you have selected and the disk space required. 7. Enter the following information at the prompts: The location of the replica package you created and transferred from the primary instance. If you have not finished these tasks, see Preparing to Install a Replica Instance on page 45. The master password for the primary instance, specified at primary installation time. The desired setting for offline or online synchronization of data. See Creating a Replica Package File on page 46. 8. To begin copying Authentication Manager files, click Install. The installer begins copying files and displays a progress indicator. 9. Click Finish to close the installer. Unless you clear the checkboxes for opening the Release Notes and Security Console, these will open in your default browser after you click Finish. 10. When prompted by your browser, accept the certificate for the Security Console. As part of the normal installation, the installer creates a certificate authority and uses it to sign the Security Console browser certificate. 11. Continue to Securing Backup Files on page 52 to perform important post-installation tasks. If you encounter any problems installing Authentication Manager, see Appendix A, Troubleshooting. 48 5: Installing a Replica Instance for Failover

Command Line Installation Use the command line installation if you prefer a command interface or if you intend to run the installation through a script. The prompts for command line installation are displayed with instructions on how to proceed or select options. Enter 1 to proceed, 3 to cancel, and 5 to redisplay. Important: When you install multiple replica instances, you must install them serially. Do not attempt to install them in parallel. To install Authentication Manager using the command line installer: 1. From a command prompt, change to the directory containing the installer: auth_mgr\win32-x86\setup.exe (Windows) auth_mgr/linux-x86/setup.sh (Linux) 2. Enter the appropriate command for your platform: For Windows, type: setup.exe -console For Linux, type:./setup.sh -console 3. Respond to the prompts for Select Region, License Agreement, and Choose Destination Location. Note: If you are not automatically taken to the next prompt, type 0. 4. Select Authentication Manager Replica Instance. Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See System Update Script for Linux on page 25. 5. The installer displays the hostname and IP address that will be used for installation. Check this information, and select 1 if it is the expected hostname and IP address. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. 5: Installing a Replica Instance for Failover 49

6. Enter the name of the folder that contains your Authentication Manager license file, server key, and certificate files. The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server. 7. Review the summary screen, verifying the features you have selected and the disk space required. 8. Enter the following information at the prompts: The location of the replica package you created and transferred from the primary instance. If you have not finished these tasks, see Preparing to Install a Replica Instance on page 45. The master password for the primary instance, specified at primary installation time. The desired setting for offline or online synchronization of data. See Creating a Replica Package File on page 46. Once you proceed from this screen, the installer begins copying files and displays a progress indicator. To cancel the installation, enter 3, and respond 1 (Yes) to the prompts to remove installer files. 9. When the installer displays a message indicating successful installation, continue to Securing Backup Files on page 52 to perform important post-installation tasks. If you encounter any problems installing Authentication Manager, see Appendix A, Troubleshooting. Silent Installation Important: When you install multiple replica instances, you must install them serially. Do not attempt to install them in parallel. For a silent installation, you must: Locate the appropriate response file template for your installation type (primary instance, replica instance, or server node), edit it with your actual values, and save it as a response file. Launch the installer with arguments that specify silent and point to the response file. These tasks are described in the following sections. 50 5: Installing a Replica Instance for Failover

Creating a Response File from the Template Locate the following response file templates in resource/silent_install/: primary_template.txt replica_template.txt node_template.txt To create a response file from the template: 1. Open the appropriate template file for your installation type. 2. Enable settings in the template by removing the leading ### characters from each line of text (search to find the settings you can change). 3. Specify values for enabled settings by replacing the characters '<value>' with the actual value for that setting. See the manual installation chapter for your installation type. For example, refer to Chapter 4, Installing an RSA Authentication Manager Primary Instance when editing primary_template.txt. 4. Save your changes with a new filename. This filename is required in the next step, launching a silent installation. Launching a Silent Installation To perform a silent installation, add -silent -options response_file to your installation command. GUI-Based Windows Example: setup.exe -silent -options response1.txt Command Line Windows Example: setup.exe -console -silent -options response1.txt GUI-Based Linux Example: setup.sh -silent -options response1.txt Command Line Linux Example: setup.sh -console -silent -options response1.txt Note: If you use the GUI-based installer for silent installation, the screens are displayed with the response file values in place of the defaults, which may be manually overridden. 5: Installing a Replica Instance for Failover 51

Rebalancing Contact Lists After you add a replica instance and any server nodes to that replica instance, you must rebalance the contact lists in the primary instance RSA Security Console. This updates references to the new replica instances and server nodes. To update your contact lists: 1. Click Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance. 2. Click Rebalance. 3. Perform an authentication. Securing Backup Files The installer automatically backs up a list of important files to RSA_AM_HOME/backup. Immediately after installation, move the backup directory to a secure location. Important: For highest security, store SYSTEM.SRK, included in your backup folder, on removable media. Retrieve this private key only for disaster recovery. Verifying the Installation To verify that the installation was successful: 1. Access the Security Console web application from supported browsers by entering the Security Console URL as shown: https://fully qualified domain name:7004/console-ims/ For example, if the fully qualified domain name of your Authentication Manager installation is host.mycompany.com, type the following in your browser: https://host.mycompany.com:7004/console-ims 2. Log on to the Security Console using your password. 52 5: Installing a Replica Instance for Failover

6 Installing a Server Node for Improved Performance Preparing to Install a Server Node GUI-Based Installation Command Line Installation Silent Installation Securing Backup Files Verifying Server Node Function Preparing to Install a Server Node Gather information from the primary or replica database server and make it available to the server node host according to these steps: 1. Create a node package file from the database server using the Manage Nodes utility. See the following section, Creating a Node Package File. 2. Transfer the node package file to the target host. Each package file is unique, functioning properly only on the host specified during its creation. See Transferring the Node Package File on page 54. Note the location on the target host where you copy the package. This information, along with the master password, is required during installation. Important: The server node must be installed on the same platform as the primary or replica instance. Also, the host for the server node must be in the same subnet as its primary or replica database server. Server node installation fails if these requirements are not met. Creating a Node Package File Create a node package file using the Manage Nodes utility. To create a node package file with the Manage Nodes utility as described in this section, you need to provide the following information: Server node hostname Master password Note: For complete detail on manage-nodes commands, type rsautil manage-nodes --help at a command prompt in RSA_AM_HOME/utils/. 6: Installing a Server Node for Improved Performance 53

To create a node package using the Manage Nodes utility: 1. From a command prompt on the host of the database server, change to RSA_AM_HOME/utils/. 2. Type: rsautil manage-nodes --node-host hostname --action add-node where hostname is the fully qualified hostname of the server node host. 3. At the prompt, enter your master password. The message Adding node to cluster appears. 4. Verify that the directory contains a file named hostname-node.pkg, where hostname reflects the hostname value you specified for the --node_host argument. Transferring the Node Package File Once you have used the Manage Nodes utility on the primary or replica database server to create a node package, you must transfer it to the target host. RSA Security recommends that you transfer the package through a secure network or by removable media. Note the location on the target host where you copy the package. This information, along with the master password, is required during installation. GUI-Based Installation Use the GUI-based installer if you prefer standard graphical screens to assist you through the process. Installation time varies depending on system speed and memory. Make sure you allow at least one hour to perform the installation. Important: Make sure the primary or replica instance where you created the node package is running before you begin the installation. To install Authentication Manager using the GUI-based installer: 1. Locate and launch the installer for your platform: auth_mgr\win32-x86\setup.exe (Windows) auth_mgr/linux-x86/setup.sh (Linux) 2. Respond to the prompts for Welcome, Select Region, License Agreement, and Choose Destination Location. 54 6: Installing a Server Node for Improved Performance

3. Select Authentication Manager Node. Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See System Update Script for Linux on page 25. Note: If you want to change the installation type at a later date, you must uninstall the existing Authentication Manager and reinstall it using the new installation type. Installation types are described in Installation Types on page 11. 4. The installer displays the hostname and IP address that will be used for installation. Check this information. Click OK > Next if it is the expected hostname and IP address. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. 5. Locate the folder that contains your Authentication Manager license file, server key, and certificate files. Click Browse to find and select this folder on the installation host (the files in the folder are not displayed). Click Next, and verify the license information. The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server. 6. Review the summary screen, verifying the features you have selected and the disk space required. 7. Enter the following information at the prompts: The location of the node package you created and transferred from the primary instance. If you have not finished these tasks, see Preparing to Install a Server Node on page 53. The master password for the primary instance, specified at primary installation time. 8. To begin copying Authentication Manager files, click Install. The installer begins copying files and displays a progress indicator. 9. Click Finish to close the installer. Unless you clear the checkboxes for opening the Release Notes and Security Console, these will open in your default browser after you click Finish. 6: Installing a Server Node for Improved Performance 55

10. When prompted by your browser, accept the certificate for the Security Console. As part of the normal installation, the installer creates a certificate authority and uses it to sign the Security Console browser certificate. 11. Continue to Securing Backup Files on page 59 to perform important post-installation tasks. If you encounter any problems installing Authentication Manager, see Appendix A, Troubleshooting. Command Line Installation Use the command line installation if you prefer a command interface or if you intend to run the installation through a script. The prompts for command line installation are displayed with instructions on how to proceed or select options. Enter 1 to proceed, 3 to cancel, and 5 to redisplay. Important: Make sure the primary or replica instance where you created the node package is running before you begin the installation. To install Authentication Manager using the command line installer: 1. From a command prompt, change to the directory containing the installer: auth_mgr\win32-x86\setup.exe (Windows) auth_mgr/linux-x86/setup.sh (Linux) 2. Enter the appropriate command for your platform: For Windows, type: setup.exe -console For Linux, type:./setup.sh -console 3. Respond to the prompts for Select Region, License Agreement, and Choose Destination Location. Note: If you are not automatically taken to the next prompt, type 0. 4. Select Authentication Manager Node. Important: At this point, the installer informs you of unmet or missing requirements and prerequisites for installation and offers you the option to continue anyway. Select Continue anyway only if you are directed to do so by RSA Customer Support or if you are certain you want to accept the risk. On Linux, the installer may warn you to run a system configuration script before continuing. Run this script as root user, not as the installation user. See System Update Script for Linux on page 25. 56 6: Installing a Server Node for Improved Performance

5. The installer displays the hostname and IP address that will be used for installation. Check this information, and select 1 if it is the expected hostname and IP address. Note: If the machine has multiple network interface cards, make sure the IP address and hostname you specify during installation belong to the interface you want to use. The default is for the primary network adapter. The Security Console listens only to the IP address you specify. 6. Enter the name of the folder that contains your Authentication Manager license file, server key, and certificate files. The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server. 7. Review the summary screen, verifying the features you have selected and the disk space required. 8. Enter the following information at the prompts: The location of the node package you created and transferred from the primary instance. If you have not finished these tasks, see Preparing to Install a Server Node on page 53. The master password for the primary instance, specified at primary installation time. Once you proceed from this screen, the installer begins copying files and displays a progress indicator. To cancel the installation, enter 3, and respond 1 (Yes) to the prompts to remove installer files. 9. When the installer displays a message indicating successful installation, continue to Securing Backup Files on page 59 to perform important post-installation tasks. If you encounter any problems installing Authentication Manager, see Appendix A, Troubleshooting. Silent Installation For a silent installation, you must: Locate the appropriate response file template for your installation type (primary instance, replica instance, or server node), edit it with your actual values, and save it as a response file. Launch the installer with arguments that specify silent and point to the response file. These tasks are described in the following sections. Creating a Response File from the Template Locate the following response file templates in resource/silent_install/: 6: Installing a Server Node for Improved Performance 57

primary_template.txt replica_template.txt node_template.txt To create a response file from the template: 1. Open the appropriate template file for your installation type. 2. Enable settings in the template by removing the leading ### characters from each line of text (search to find the settings you can change). 3. Specify values for enabled settings by replacing the characters '<value>' with the actual value for that setting. See the manual installation chapter for your installation type. For example, refer to Chapter 4, Installing an RSA Authentication Manager Primary Instance when editing primary_template.txt. 4. Save your changes with a new filename. This filename is required in the next step, launching a silent installation. Launching a Silent Installation Important: Make sure the primary or replica instance where you created the node package is running before you begin the installation. To perform a silent installation, add -silent -options response_file to your installation command. GUI-Based Windows Example: setup.exe -silent -options response1.txt Command Line Windows Example: setup.exe -console -silent -options response1.txt GUI-Based Linux Example: setup.sh -silent -options response1.txt Command Line Linux Example: setup.sh -console -silent -options response1.txt Note: If you use the GUI-based installer for silent installation, the screens are displayed with the response file values in place of the defaults, which may be manually overridden. 58 6: Installing a Server Node for Improved Performance

Securing Backup Files The installer automatically backs up a list of important files to RSA_AM_HOME/backup. Immediately after installation, move the backup directory to a secure location. Important: For highest security, store SYSTEM.SRK, included in your backup folder, on removable media. Retrieve this private key only for disaster recovery. Verifying Server Node Function After the installation, do the following: Make sure the server node can communicate with other hosts. Use the Multicast Network Test utility. See Multicast Network Test Utility on page 114. Verify that the RSA Authentication Manager service is in the Started state in the Windows Services Manager. 6: Installing a Server Node for Improved Performance 59

7 Performing Post-Installation Tasks Additional Linux Configuration Backing Up a Standalone Primary Instance Securing the Connection Between the Primary Instance and Replica Instances Starting RSA Authentication Manager Services Logging On to the RSA Security Console System Security Optional Proxy Servers for Remote Token Key Generation Additional Linux Configuration After RSA Authentication Manager is installed, you must configure every Linux system (primary instance, replica instance, and server node) to allow the Authentication Manager process to set the system and hardware clock. Failing to perform these steps will result in time check failure messages in the system log and prevent the system from keeping the server node and replica instance clocks synchronized to the primary instance. To set the system and hardware clock: 1. In a command shell, execute su root to change context to root user. 2. Change directories to RSA_AM_HOME/utils/bin. 3. Execute the following command:./setclock -enable Backing Up a Standalone Primary Instance If your deployment has a standalone primary instance (no replica instances), you must back up the database immediately after installing Authentication Manager. If the machine hosting the primary instance fails, use this backup to restore the database. Perform this backup periodically to ensure that a current version of the database is always available for disaster recovery. Store the backup in a safe location. 7: Performing Post-Installation Tasks 61

When To Perform a Backup You must back up both the registry and the specified files (listed in the following sections, Backing Up a Standalone Primary Instance on Windows and Backing Up a Standalone Primary Instance on Linux ) immediately after installation. Back up the specified files only (not the registry) after you perform the following operations: Add or delete a replica instance or server node. Add or delete an identity source. Note: For instructions on restoring a backup, see the chapter Disaster Recovery in the Administrator s Guide. Backing Up a Standalone Primary Instance on Windows To back up the primary instance: 1. Make sure all Authentication Manager services are shut down. See Starting and Stopping RSA Authentication Manager Services on Windows on page 64. 2. Back up all files in the following directories (or wherever you chose to install Authentication Manager): C:\RSA_AM_HOME\RSA Authentication Manager C:\Program Files\Common Files\InstallShield\Universal\rsa_am 3. Back up the following registry keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Oracle DBConsole HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ OracleJobScheduler HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ OracleRSATNSListener HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ OracleService Important: Your key names do not match those specified above because the database SID is added to the end of each Oracle key. Make sure you save all four key names. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RSAAM HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RSAAM_ADM HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RSAAM_NM HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RSAAM_PS HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE HKEY_LOCAL_MACHINE\SOFTWARE\RSA Security 62 7: Performing Post-Installation Tasks

4. Start the RSA Authentication Manager database process. Click Start > Settings > Control Panel > Administrative Tools > Services > RSA Authentication Manager Database Server. 5. Back up the internal database using the Manage Backups utility. For instructions, see the chapter Disaster Recovery in the Administrator s Guide. Backing Up a Standalone Primary Instance on Linux To back up the primary instance: 1. Make sure all Authentication Manager services are shut down. See Starting and Stopping RSA Authentication Manager Services on Linux on page 65. 2. Back up all files in the RSA_AM_HOME directory, all files in the $HOME/InstallShield/Universal/rsa_am directory, and the following two files: /etc/security/limits.conf /etc/services Use the following command: gtar -czf am_backup.tar.gz /$HOME/InstallShield/Universal/rsa_am /RSA_AM_HOME/RSASecurity/etc/security/limits.conf /etc/services 3. Start the RSA Authentication Manager database process. See Starting and Stopping RSA Authentication Manager Services on Linux on page 65. 4. Back up the internal database using the Manage Backups utility. For instructions, see the chapter Disaster Recovery in the Administrator s Guide. Securing the Connection Between the Primary Instance and Replica Instances RSA Authentication Manager encrypts sensitive data in the database. Data that is not considered sensitive is stored in an unencrypted format. As part of Authentication Manager s high availability and failover, data is sent between replication server nodes in both encrypted and unencrypted formats. RSA Security recommends that you implement your company s networking best practices to ensure network connections between server nodes in a WAN are secure. An example of best practice may include the use of a VPN and IPSec. Starting RSA Authentication Manager Services If you need to start or stop Authentication Manager services manually for testing, troubleshooting, or other ongoing system administration, follow the instructions provided in this section. 7: Performing Post-Installation Tasks 63

This section describes: Starting and Stopping RSA Authentication Manager Services on Windows Starting and Stopping RSA Authentication Manager Services on Linux Note: The Node Manager is a watchdog process that stops and starts the RSA Authentication Manager services. Node Manager must be running at all times in order for RSA Authentication Manager services to be running. Starting and Stopping RSA Authentication Manager Services on Windows On Windows, Authentication Manager runs as services. The installer creates the following services on Windows: RSA Authentication Manager RSA Authentication Manager Cluster Administration Server RSA Authentication Manager Database Console RSA Authentication Manager Database Listener RSA Authentication Manager Database Server RSA Authentication Manager Proxy Server RSA Authentication Manager Job Scheduler RSA Authentication Manager Node Manager To start the RSA Authentication Manager services on Windows: 1. From the Windows Control Panel, click Administrative Tools > Services. 2. In the Services list, right-click RSA Authentication Manager, and click Start in the pop-up menu. The corresponding status changes to Started. It may be a number of minutes until the service has actually started. The other Authentication Manager services also start automatically (if they are not already running). Note: Two services are not used: RSA Authentication Manager Database Console (startup type = manual) and RSA Authentication Manager Job Scheduler (startup type = disabled). Ignore these services. 3. Close the Services dialog box. To stop the RSA Authentication Manager Service on Windows: 1. From the Windows Control Panel, click Administrative Tools > Services. 2. In the Services list, right-click the services that you want to stop, and click Stop in the pop-up menu. It may take several minutes for the service to actually stop. Note: You must stop each service individually. 3. Close the Services dialog box. 64 7: Performing Post-Installation Tasks

Starting and Stopping RSA Authentication Manager Services on Linux On Linux, you can stop and start the servers using the rsaam command found in the RSA_AM_HOME/server directory. Use the command with the service name to stop, start, restart, and view the status of all servers or each service independently:./rsaam stop start status restart manager./rsaam stop start status restart proxy./rsaam stop start status restart admin./rsaam stop start status restart dblistener./rsaam stop start status restart db./rsaam stop start status restart dbconsole./rsaam stop start status restart all./rsaam stop start status restart nodemanager Important: Do not start the servers as root user. RSA Security recommends that you create a Linux security administrator for administration of Authentication Manager. To start the RSA Authentication Manager service on Linux: Change directories to RSA_AM_HOME/server, and type:./rsaam start all The following messages appear: RSA Authentication Manager Database Listener: [ OK ] RSA Authentication Manager Database Server: [ OK ] RSA Authentication Manager Node Manager: [OK] RSA Authentication Manager Cluster Administration Server:[OK ] RSA Authentication Manager Proxy Server: [ OK ] RSA Authentication Manager: [ OK ] RSA Authentication Manager Node Manager: [ OK ] To stop the RSA Authentication Manager service on Linux: Change directories to RSA_AM_HOME/server, and type:./rsaam stop all The following messages appear: RSA Authentication Manager: [ OK ] RSA Authentication Manager Proxy Server: [ OK ] RSA Authentication Manager Cluster Administration Server:[OK ] RSA Authentication Manager Node Manager: [OK] RSA Authentication Manager Database Server: [ OK ] RSA Authentication Manager Database Listener: [ OK ] RSA Authentication Manager Database Console: [ OK ] RSA Authentication Manager Node Manager: [ OK ] 7: Performing Post-Installation Tasks 65

Setting Up Automatic Start on Linux Authentication Manager provides an auto-start capability using the script rsaam. To set up automatic start: 1. Log on as root user. 2. Type: cp RSA_AM_HOME/server/rsaam /etc/rc.d/init.d 3. Type: chmod 755 /etc/rc.d/init.d/rsaam 4. Type: /sbin/chkconfig --add rsaam Logging On to the RSA Security Console You can access the Security Console web application from supported browsers by entering the Security Console URL as shown: https://fully qualified domain name:7004/console-ims/ For example, if the fully qualified domain name of your Authentication Manager installation is host.mycompany.com, type the following in your browser: https://host.mycompany.com:7004/console-ims On Windows systems, you can also access the Security Console by clicking Start > Program > RSA Security > RSA Security Console. Enabling JavaScript Before you log on, enable JavaScript. Enabling JavaScript for Internet Explorer For Internet Explorer, select Tools > Internet Options > Security. Select the appropriate web content zone. If you use the default security level, JavaScript is enabled. If you use a custom security setting, click Custom Level, and do the following: Scroll down to Miscellaneous > Use Pop-up Blocker, and select Disable. Scroll down to Scripting > Active Scripting, and select Enable. Scroll down to Scripting > Allow paste operations via script, and select Enable. Scroll down to Scripting > Scripting of Java Applets, and select Enable. 66 7: Performing Post-Installation Tasks

Enabling JavaScript for Mozilla Firefox Generally, you do not need to enable JavaScript for Firefox. But if JavaScript is disabled, perform these steps: 1. Open the Firefox browser. 2. Click Tools > Options > Content. 3. Check Enable JavaScript. 4. Click OK. Adding the RSA Security Console to Trusted Sites If Internet Explorer is configured for enhanced security levels, you must add the Security Console URL to the list of trusted sites. To add the RSA Security Console to trusted sites: 1. In Internet Explorer, select Tools > Internet Options > Security. 2. Select the Trusted Sites icon, and click Sites. 3. Type the URL for the Security Console in the entry next to the Add button. 4. Clear Require server verification (https:) for all sites. 5. Click Add to add the Security Console URL to the trusted sites. To log on to the RSA Security Console: 1. Launch the Security Console. 2. At the prompt, type the user name of the Super Admin specified during installation. 3. At the password prompt, type the Super Admin password specified during installation. The Super Admin role includes the ability to create a new Super Admin and other administrators. See the chapter Preparing RSA Authentication Manager for Administration in the Administrator s Guide. System Security With the exception of system passwords, it is typically not necessary to change the default security settings described in this section. Passwords and Keys in systemfields.properties The Authentication Manager installer generates keys and passwords used to access internal services such as the internal database. These credentials are stored in a secure vault at RSA_AM_HOME/backup/systemfields.properties, protected both by a system-specific key for unattended startup as well as a master password for interactive operations. 7: Performing Post-Installation Tasks 67

Super Admin Password You specify the Super Admin password during the primary instance installation. The value you give for the Super Admin password during installation is also used as the master password. You can change either or both the master and Super Admin passwords after installation if you require a strong separation of roles. You can change the Super Admin password by logging on to the Security Console and editing the password field for the Super Admin. Master Password Choosing a strong but memorable master password is important. The master password protects other sensitive credentials, and is used with many of the Authentication Manager command line utilities. You must specify it when you install the primary instance. When you add replica instances and additional server nodes to your system, you must use the master password to install them. After installation, the new server nodes or replica database servers use this same master password for all internal uses, such as using command line utilities. If you want to change your master password from the one chosen during installation of the primary instance, it is easiest to change it before adding replica instances and server nodes. If you change it later, you must run the manual password change procedure on each replica instance database server and server node. You can change your master password using the Manage Secrets utility. To change your master password using manage-secrets: 1. From a command prompt, change directories to RSA_AM_HOME/utils/. 2. Type: rsautil manage-secrets --action change --new-password new_password 3. Type your current master password (the one you want to change) at the prompt. The message Master password changed successfully appears. 4. To make sure your new master password is backed up, copy systemfields.properties to a secure location. Important: When you change the master password on any Authentication Manager server node, you are only changing it for that server node. If you want the new password to be common among all server nodes in an instance, you must manually change it on each server node. Internal System Passwords The Manage Secrets utility is used to recover or change the passwords used to access various internal services. These services include: User name/password for managing the embedded WebLogic server User name/password for authenticating to the command server 68 7: Performing Post-Installation Tasks

User name/password for accessing the database User name/password for managing the database schema User name/password for managing the database replication policies To view a list of your system passwords, use the --action list option. This command lists each password name and its value. To view a list of your system passwords using manage-secrets: 1. From a command prompt, change directories to RSA_AM_HOME/utils/. 2. Type: rsautil manage-secrets --action list 3. Type your master password when prompted. The system displays the list of your internal system passwords. To change the system passwords, you need to specify the actual property name or key, for the password and its value. Use the --action listkeys command to find the key for the system password you want to change. To change system passwords using manage-secrets: 1. From a command prompt, change directories to RSA_AM_HOME/utils/. 2. Type: rsautil manage-secrets --action set property_name property_value where property_name is the password you want to change, and property_value is the new password. For example: rsautil manage-secrets --action set com.rsa.appserver.admin.password administrator_password 3. Type your master password when prompted. Certificates and Keystores for SSL SSL is enabled by default for all communication ports. During installation, a self-signed root certificate for the deployment is generated and stored in RSA_AM_HOME/server/security/root.jks. Additional server certificates are generated and signed by this root certificate when you add additional server nodes and replica instances. Because the newly-created default self-signed certificate is not in your list of trusted root certificates, you receive a warning when first accessing the Security Console. Importing the root certificate into the browser as described in the installation procedure prevents this warning from displaying. 7: Performing Post-Installation Tasks 69

Replacing Installed Certificates If you have an existing certificate authority and would prefer to issue your own certificates, you can replace the installer generated certificates with your own. Use the Manage SSL Certificates utility together with your certificate authority to replace the default certificates. The variables referenced in this section are listed in Manage SSL Certificate Utility on page 109. To replace the default certificates: 1. From a command prompt, change directories to RSA_AM_HOME/utils/. 2. Type the command to generate public/private keypairs in a keystore using the --genkey option, entering your master password when prompted: rsautil manage-ssl-certificate --genkey --alias myalias --keypass mykeypass --dname certificatedn --keystore RSA_AM_HOME/server/security/hostname.jks 3. Type the command to create a certificate signing request to submit to a certificate authority using the public/private key, entering your master password when prompted: rsautil manage-ssl-certificate --certreq --alias myalias --keypass mykeypass --keystore RSA_AM_HOME/server/security/hostname.jks --csr-file c:/certificates/mycertreq.pem 4. Submit the request to your certificate authority, and create a signed server certificate. See your CA documentation for more information. 5. Physically transfer the signed server certificate to the Authentication Manager database server (primary or replica). 6. Use the Manage SSL Certificate utility to import the signed server certificate into both the root keystore and server keystore, entering your master password when prompted. At RSA_AM_HOME/utils/, type: rsautil manage-ssl-certificate --import --trustcerts --ca-alias mycaalias --ca-cert-file c:/certificates/mycacertificate.pem --ca-keystore RSA_AM_HOME/server/security/root.jks and rsautil manage-ssl-certificate --import --alias myalias --cert-file c:/certificates/myservercertificate.pem --keypass mykeypass --keystore RSA_AM_HOME/server/security/hostname.jks Note: If your path includes spaces, use quotes around it in this command. 70 7: Performing Post-Installation Tasks

7. Configure the application server for the new key alias and password, entering your master password when prompted. Type: rsautil manage-ssl-certificate --config-server --alias myalias --keypass mykeypass --servername myservernodename. Note: For the primary instance, you need to configure proxy_server and hostshortname_server. 8. Restart the server for the config-server changes to take effect. Option Flags for manage-ssl-certificate The following table describes the option flags for this utility. Flag Alternate Flag Description --genkey --alias --keypass --dname --keystore Generates public and private key pairs. Alias for the key entry. Password for the key entry. Distinguished name of the certificate. Path of the keystore file. --master-password -m Master password of the encrypted properties file. --certreq --csr-file --alias --keystore --keypass Creates certification signing on request (CSR). Path of the CSR output file (optional). Alias for the key entry (optional). Path of the keystore file. Password for the key entry. --master-password -m Master password of the encrypted properties file. --generate-cert-request -g Generates key and CSR at the same time. --alias --keystore --keypass --dname Alias for the key entry (optional). Path of the keystore file. Password for the key entry. Distinguished name of the certificate. 7: Performing Post-Installation Tasks 71

Flag Alternate Flag Description --master-password -m Master password of the encrypted properties file. --csr-file --import --trustcacerts --alias --cert-file --keystore --keypass Path of the CSR output file (optional). Imports CA and server certificates to the keystore. CA certificate flag (used only if importing a CA certificate). Alias for the key entry (optional). Path of the signed (encoded) certificate file from CA. Path of the keystore file. Password for the key alias (only if importing a server certificate). --master-password -m Master password of the encrypted properties file. --config-server --server-name --alias --keypass Configures the server node to use the new private key. Application server node name. Alias for the key entry. Password for the key entry. --master-password -m Master password of the encrypted properties file. --update-server-certs -u Imports the CA and the server certificates, and the updates to the application server configurations at the same time. --ca-alias --ca-cert-file --alias --cert-file --keystore Alias for the CA certificate. CA certificate file. Alias for the key entry. Path of the encoded, signed certificate file from CA. Path of the keystore file. 72 7: Performing Post-Installation Tasks

Flag Alternate Flag Description --keypass Password for the key alias (only for server certificate). --master-password -m Master password of the encrypted properties file. --server-name Application server node name. --list Lists one or more entries in the keystore. --alias --keystore Alias for the key entry (optional). Path of the keystore file. --master-password -m Master password of the encrypted properties file. --printcert --cert-file Displays the certificate file information. Name of certificate file. LDAP Certificates --help -h Prints usage information. --version -v Displays version information. --debug -x Displays debugging information. If you choose to integrate LDAP directories, it may be necessary to import additional trusted root certificates in order for Authentication Manager to correctly authenticate the LDAP server. See Setting Up SSL for LDAP on page 83. Legacy Compatibility Keystore Certain internal services and protocols use these certificates and keys provided with your license: sdti.cer. A copy of the sdti.cer signing certificate. server.cer. RSA ACE/Server certificate generated by manufacturing for each license and signed by sdti.cer. server.key. Private key representation for server.cer. These certificates and keys are not replaceable. 7: Performing Post-Installation Tasks 73

Optional Proxy Servers for Remote Token Key Generation RSA Security recommends that you configure the following two proxy servers for use by the RSA Authentication Manager Remote Token Key Generation service. This service uses the Cryptographic Token-Key Initialization Protocol (CT-KIP). Adding a Proxy Server to Create Secure URLs If you install Authentication Manager inside a secure DMZ, you may decide only to allow traffic to it through a proxy server. If you choose to proxy the traffic going to your Authentication Manager, RSA Security recommends the following: Establish your proxy on the standard http port, which is port 80, or the standard SSL port, which is port 443. From the RSA Security Console, click Setup > Component Configuration > Authentication Manager. Edit the Token Key Generation and Service Address fields to reflect the location of the proxy server. Configure your proxy server to forward all traffic to Authentication Manager and maintain all path information and URL parameters. A typical URL passed to the proxy server looks as follows: https://mydomain.com/... The proxy server transforms this URL similar to the following: https://am-server.na.ex.net:7004/... Note: The ellipse in the URLs above represents a dynamically generated query string. Authentication Manager automatically generates this string, which must be passed along as part of the URL. Note the following about the above URLs: The domain name changes. The port changes to 7001. The remainder of the URL stays the same. Adding a Proxy Server for CT-KIP Failover Occasionally, it may be necessary to remove your primary instance from your deployment and promote a replica instance. When this happens, token key generation URLs and service addresses that you have distributed to users, but that users have not yet used, become invalid. If your proxy server supports failover mode, you can configure it to pass CT-KIP data to the new primary instance. This allows users to use the original token key generation URLs and service addresses and saves administrators from the task of sending new URLs to users. 74 7: Performing Post-Installation Tasks

8 Accessing Users and Groups from an LDAP Directory Overview of LDAP Directory Integration Preparing for Integration Using the Initialize Identity Source Utility to Deploy Resource Adapters Enabling Identity Sources in the RSA Security Console Removing an Identity Source Identifying Orphaned LDAP Users Overview of LDAP Directory Integration You can integrate LDAP directories with Authentication Manager to access user and group data without modifying the LDAP schema. Depending on your needs, you can configure Authentication Manager to only read data from the LDAP directory, or to perform both read and write operations. To integrate an LDAP directory, you perform certain tasks using the Initialize Identity Source (initialize-is) utility and other tasks using the RSA Security Console. Microsoft Active Directory single forest environments require additional configuration steps as described in Integrating Active Directory Forest Identity Sources on page 78. Important: Many of the tasks in the following sections require detailed knowledge of LDAP and your directory server deployment. RSA Security recommends that these tasks be performed by a technician with LDAP experience and familiarity with the directory servers to be integrated. Important: RSA Security recommends that you configure all identity sources as read-only. To integrate an LDAP identity source: 1. Prepare your directory for integration. Do the following: For Active Directory integrations and optionally for Sun Java System Directory Server, perform the tasks described in Setting Up SSL for LDAP on page 83. Note: A read-only connection to Active Directory does not require SSL. By default, all Active Directory identity sources are read-only, but you can configure them to read/write. 8: Accessing Users and Groups from an LDAP Directory 75

Active Directory only: See Password Policy Considerations on page 84. Active Directory only: Verify your domain functional level to support group to group membership and verify your group container as described in Supporting Groups on page 84. 2. Deploy all resource adapters as described in Deploying Resource Adapters on page 85. You must deploy resource adapters on each primary or replica database server in your Authentication Manager environment. If you want to add a failover directory server to the identity source, specify its URL in your resource adapter deployment command. 3. Enable the identity source. Do the following: Add the identity source by providing values for required settings as described in Adding the Identity Source on page 88 and the Help topic Add Identity Sources. Link the identity source to an Authentication Manager realm as described in Linking an Identity Source to a Realm on page 89. Verify your LDAP integration as described in Verifying the LDAP Identity Source on page 89. Note: Though you must deploy resource adapters for each database server, including primary and replica database servers, you only need to add and link the identity source in the RSA Security Console once for each directory. The following figure illustrates the process flow for integrating an LDAP directory as an identity source. 76 8: Accessing Users and Groups from an LDAP Directory

LDAP Identity Source Tasks Prepare for integration Deploy resource adapters on all database servers using the Initialize Identity Source utility Add identity source in the RSA Security Console Link identity source to a realm in the RSA Security Console Verify identity source End 8: Accessing Users and Groups from an LDAP Directory 77

Replica Instance Connections to Identity Sources If your Authentication Manager deployment includes replica instances for failover, you must deploy resource adapters on each replica database server as well as the primary database server. When deploying resource adapters on a replica database server, use the same name for the identity source (--ldap-name) option flag as you used for the primary database server. For any additional replica instances, repeat the procedure. Important: After deploying resource adapters on a replica database server, restart Authentication Manager. Multiple resource adapters on separate database servers all connect to the same identity source (the one specified by --ldap-name) in a many-to-one relationship. Though you must perform multiple resource adapter deployments for an identity source in a replicated deployment, you need to complete only one RSA Security Console-based process to add and link the identity source. Failover Directory Servers If you have failover directory servers, you can specify them when deploying resource adapters. Provide the failover URL with the --ldap-failover-url option as described in Deploying Resource Adapters on page 85. Then, in case of a failure in your primary directory server, the system automatically connects to the failover server you specified. Important: The directory server for failover must be a replica, or mirror image, of the primary directory server. Integrating Active Directory Forest Identity Sources Configuring Authentication Manager to access user and group data from an Active Directory forest entails some additional considerations and procedures. Runtime and Administrative Identity Sources To account for the architecture of an Active Directory forest, this section refers to two distinct types of identity sources: Runtime identity source. An identity source configured for runtime operations only, to find and authenticate users, and to resolve group membership within the forest. This identity source maps to your Active Directory Global Catalog. Administrative identity source. An identity source used for administrative operations such as adding users and groups. This identity source maps to a domain controller. In a multi-domain Active Directory forest setup, the Global Catalog is added as an identity source and the domain controller servers are added as administrative identity sources. The Global Catalog is used at runtime as another directory to find and authenticate users, and to resolve group membership within the forest. 78 8: Accessing Users and Groups from an LDAP Directory

The Global Catalog is used only for runtime operations, such as authentication. Authentication Manager does not use the Global Catalog for administrative operations. Administrative actions (for example, adding users) are performed against the administrative identity sources (domain) only. Changes to the domain are replicated by Active Directory to the Global Catalog. Note: Active Directory supports multiple types of groups. When configured to use Active Directory groups, Authentication Manager only supports Universal groups. When you view the Active Directory groups from the RSA Security Console, the Security Console displays all groups, regardless of type. If you select a group from this list to activate users on restricted agents, make sure you select a Universal group. Use the Active Directory Users and Computers MMC Console to examine the type of group. If you use any other type of Active Directory group, the user cannot authenticate. Mapping Identity Attributes for Active Directory You must follow specific guidelines when you use the RSA Security Console to map identity attributes to physical attribute names in an Active Directory identity source schema. You use the Add Identity Source page to map attributes. If your Active Directory identity source is read-only (the default), make sure that all user fields map to non-null fields. The User ID is mapped to the samaccountname by default, but it can be mapped to any unique attribute for a user. If your Active Directory identity source is read/write, make sure you map all of the fields you need when you add the identity source using the Add Identity Source page in the Security Console. If you do not map a field, the field will remain blank when you add users. Active Directory does not provide any values for user s records for unmapped fields, except in one case: when you create a user without supplying the samaccountname. In this case, Active Directory generates a random string for the samaccountname value. You can handle this issue using identity attribute definitions. If your environment requires specific attributes, you must explicitly map the identity source to those attributes using the Identity Source Mapping page in the Security Console. By default, when you add a new user, the user is mapped to the fields that are configured for the identity source. For example, the User ID is mapped to the samaccountname by default, but the User Principal Name (UPN) field is left blank. Use the Security Console to create an identity attribute definition that you can map to the UPN field in your Active Directory. Then, use the Security Console to map the new attribute. Note: If you map the User ID to an attribute other than samaccountname, for example to UPN, Active Directory generates a random value for samaccountname. To avoid this scenario, follow the instructions described previously and define an identity attribute definition for samaccountname. Make sure a proper value is provided for this attribute every time you add a new user to Active Directory using the Security Console. 8: Accessing Users and Groups from an LDAP Directory 79

Integration Process for Active Directory Forests The extent of the integration process depends on the scale of your Active Directory forest. Each Global Catalog must be added as a separate runtime identity source, with corresponding resource adapters on each Authentication Manager database server. Note: If a forest has more than one Global Catalog, you can use one for failover. In this case, you do not need to deploy the Global Catalog, but you must specify it as a failover URL when you deploy the first Global Catalog. Likewise, each additional domain controller must be added as an administrative identity source, each with its own corresponding resource adapters on each Authentication Manager database server. For example, for a hypothetical forest composed of three domains and a single Global Catalog, you must deploy eight sets of resource adapters on your Authentication Manager database servers, and then enable four identity sources: 3 administrative identity sources (one for each domain) * 2 (deployed on primary and replica database servers) 1 runtime source (Global Catalog) * 2 (deployed on primary and replica database servers) To configure identity sources for an Active Directory forest: 1. Do the following: Perform the tasks described in Setting Up SSL for LDAP on page 83. Note: This applies to read/write connections. Read-only connections do not require SSL. By default, all Active Directory identity sources are read-only, but you can configure them to read/write. See Password Policy Considerations on page 84. Verify your domain functional level to support group to group membership and verify your group container as described in Supporting Groups on page 84. The Active Directory server name must be a valid DNS name. Make sure the name is resolvable for both forwards and reverse lookups, and that the Active Directory server can be reached from the Authentication Manager server. 80 8: Accessing Users and Groups from an LDAP Directory

2. Deploy all resource adapters as described in Deploying Resource Adapters on page 85. Configuring the resource adapter for the Global Catalog is similar to configuring an administrative domain with the following exception: For the ldap URL value, specify port 3268 (non-ssl) or 3269 (ssl). Deploy the required resource adapters for other domains. For the ldap URL value, specify port 636 (ssl). You must deploy the Global Catalog resource adapter before any other Active Directory resource adapters. If you are using Active Directory authentication only, it still needs to be deployed so that tokens can be assigned to users, but it can use port 389, as no SSL connection is required. 3. From the Add Identity Source page of the RSA Security Console, do the following: Add the Global Catalog as an identity source by providing values for required settings. These are described in Adding the Identity Source on page 88 and the Help topic Add Identity Sources. In Active Directory Options, select Directory is an Active Directory global catalog. For each domain controller you integrate, add an administrative identity source specifying the Global Catalog as the identity source for authentication. In Active Directory Options, do the following: Select Authenticate Users to a global catalog. From the drop-down list, select the appropriate Global Catalog for the domain controller. Link the identity sources to an Authentication Manager realm as described in Linking an Identity Source to a Realm on page 89. Verify your LDAP integration as described in Verifying the LDAP Identity Source on page 89. The following figure illustrates the process flow for integrating an LDAP directory as an identity source. 8: Accessing Users and Groups from an LDAP Directory 81

Active Directory Forest LDAP Identity Source Tasks Prepare for integration Deploy resource adapters for the Global Catalog on all database servers using the Initialize Identity Source utility Deploy resource adapters for Domain Controllers on all database servers using the Initialize Identity Source utility Add Global Catalog as an identity source in the RSA Security Console Add domain controllers as identity sources in the RSA Security Console Link identity sources to a realm in the RSA Security Console Verify identity source End 82 8: Accessing Users and Groups from an LDAP Directory

Preparing for Integration Perform these tasks prior to running the Initialize Identity Source utility. SSL setup is required for an Active Directory read/write connection and optional for Sun Java System Directory Server. For Active Directory, there are additional important considerations for password policies and group membership support. Setting Up SSL for LDAP To set up SSL connections between your LDAP directory server and Authentication Manager, perform the following tasks. In addition to importing a certificate prior to running the Initialize Identity Source utility, you must specify an LDAP URL when creating resource adapters, and select SSL when adding the identity source in the RSA Security Console. Importing the CA Certificate For SSL configuration, you must import your root CA (certificate authority) certificate into the default java jssecacerts keystore. Once you have obtained the CA certificate, use the Java keytool (provided by Sun with your JDK) to import it into the keystore at RSA_AM_HOME/jdk/jre/lib/security/jssecacerts. For higher security, change your Java keystore password from the default password before importing the certificate. Note: Your directory server must already be configured for SSL connections and have ready access to the CA certificate. If your system does not meet these requirements, see your directory server documentation for instructions on setting up SSL. For the certificate alias, provide a name for display. When you list the certificates in the keystore, the root CA certificate displays with the alias you specified in the keytool -import command. To import the CA Certificate: 1. At a command prompt, type: RSA_AM_HOME/jdk/bin/keytool -import -file AD CA Cert -keystore RSA_AM_HOME/jdk/jre/lib/security/jssecacerts -alias CERTIFICATE ALIAS -trustcacerts 2. The Java keytool prompts you to provide a password for the keystore. Enter a password. The the Java keystore default is changeit. 3. The Java keytool prompts you to specify whether to trust the CA certificate. Type Y or Yes (default is no ). The Java keytool displays a confirmation that the certificate was added to the keystore. 4. Restart Authentication Manager. 8: Accessing Users and Groups from an LDAP Directory 83

Specifying SSL-LDAP for Your Resource Adaptors When you perform the steps described in Deploying Resource Adapters on page 85, make sure you specify a secure URL for the ldapurl value. If you are using the standard SSL-LDAP port 636, you can specify the value as ldaps://hostname. For any nonstandard port, you must also specify the port number using ldaps://hostname:port. Password Policy Considerations Supporting Groups Active Directory has a default password policy that is more strict than the default Authentication Manager password policy. This can lead to errors such as Will Not Perform when adding and updating users. To manage password policies with Active Directory identity sources, do one of the following: Make your Authentication Manager password policy password requirements more strict. See the chapter Preparing RSA Authentication Manager for Administration, in the Administrator s Guide. Relax the complexity requirements in the Windows 2003 Group Policy Editor. See your Windows documentation. Setting the Domain Level for Group-to-Group Membership To support group to group membership in Active Directory, you must set the domain functional level to Windows 2003. For more information about how to raise the domain functional level, go to http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ ServerHelp/5084a49d-20bd-43f0-815d-88052c9e2d46.mspx. Specifying a Group Container in the RSA Security Console The default organizational unit Groups does not exist in the default Active Directory installation. Make sure that a valid container is specified for the Group Base DN when adding the identity source. Using the Initialize Identity Source Utility to Deploy Resource Adapters Deploy the required resource adapters using the Initialize Identity Source (initialize-is) utility. A Resource Adapter Archive (RAR) file is a data connector conforming to J2EE connection architecture standards. Resource adapters allow Authentication Manager connection pools (a group of database connections) to interoperate with your LDAP server. 84 8: Accessing Users and Groups from an LDAP Directory

You must deploy resource adapters on each database server machine that accesses your LDAP directory. In a typical deployment with both a primary and replica instance, you must run the Initialize Identity Source utility on both the primary and replica database servers using the same name for the identity source (--ldap-name) option flag. For any additional replica instances, repeat the procedure. Deploying Resource Adapters The Initialize Identity Source utility is available in RSA_AM_HOME/utils/. The remainder of this section describes how to use the Initialize Identity Source utility to create, deploy, and undeploy resource adapters. The Initialize Identity Source utility creates and deploys resource adapters with the deploy command. Use special care in specifying these parameters, which are important arguments in the deploy command: -- ldap-name. This value must also be specified during the Security Console-based steps described in Enabling Identity Sources in the RSA Security Console on page 88. Resource adapters deployed on replica database servers must have exactly the same value for --ldap-name as the resource adapters deployed on your primary database server. -- ldap-user-id. Make sure you specify the user name with the actual DN for the node of your LDAP hierarchy that contains the target users and groups. Sun Java System Directory Server only: If your root DN user differs from the default value Directory Manager, make sure the user has access permission over the domain. -- ldap-url. To enable SSL-LDAP, specify a secure URL for the ldapurl value. If you are using the standard SSL-LDAP port 636, specify the value as ldaps://hostname. For any nonstandard port, you must also specify the port number, for example, ldaps://hostname:port. To deploy resource adapters: 1. Change directories to RSA_AM_HOME/utils/. 2. Type the following (replace the variables with the configuration parameters described in Option Flags for initialize-is on page 86): rsautil initialize-is option flags For example: rsautil initialize-is --deploy --ldap-url [ldap/ldaps]://hostname:port --ldap-name AD --ldap-user-id CN=Administrator,CN=Users,dc=blueskys,dc=com --ldap-password password --ldap-failover-url url --timeout[seconds] 3. Enter your master password when prompted. This output indicates a successful command: Creating the Weblogic resource adapters... Deploying the Weblogic resource adapters... Operation completed successfully. 8: Accessing Users and Groups from an LDAP Directory 85

4. To test the resource adapter, type: rsautil initialize-is --status --ldap-name existing_ldap The response from this command lists all resource adapters found, and indicates whether they are responding properly. Note: For replica database servers, be sure to restart after running the Initialize Identity Source utility. Option Flags for initialize-is The following table lists the option flags for the Initialize Identity Source utility. The required command line options for each flag are indented below the option flag. Flag Alternate Flag Usage --master-password -m Master password for the encrypted properties file. --deploy --ldap-url url --ldap-name name --ldap-user-id username --ldap-password password --ldap-failover-url --timeout --undeploy --ldap-name name --timeout --list Creates and deploys the resource adapters for an LDAP identity source. URL of the LDAP identity source. User defined unique identity source name. LDAP server user name. LDAP server password. Optional. URL of the failover identity source. Optional. Interrupts the deployment if it cannot be completed before the set time-out limit expires. The value is set in seconds, and must be between 10 and 900. The default is 60 seconds. Removes the resource adapters for an LDAP identity source. User defined unique identity source name. Optional. Interrupts the undeployment if it cannot be completed before the set time-out limit expires. The value is set in seconds, and must be between 10 and 900. The default is 60 seconds. Lists installed LDAP identity sources. 86 8: Accessing Users and Groups from an LDAP Directory

Flag Alternate Flag Usage --user-id username --password password Authentication Manager administrator user name. Authentication Manager administrator password. --help -h Prints usage information. --status Lists the status of the connection pools for the specified identity source. Example usage is: rsautil initialize-is --status --ldap-name existing_ldap. --version -v Displays version and copyright information. --timeout[seconds] The time for WebLogic to respond after it deploys the.war file. The utility requests WebLogic to deploy the.war file and waits for 60 seconds (by default) to hear back. If it does not hear back within the specified time, the request fails. To avoid a failure, increase the time-out value. Undeploying the Resource Adapters If an identity source is removed from Authentication Manager, the resource adapter(s) for that identity source must be undeployed. You must undeploy each of the resource adapters that serve the connection to the directory server. To undeploy the resource adapters: 1. Change directories to RSA_AM_HOME/utils. 2. Type the following (replace the variables with the configuration parameters described in Option Flags for initialize-is on page 86): Modifying an Identity Source rsautil initialize-is --master-password master_password --undeploy --ldap-name AD To modify a URL (for example, if the LDAP server is moved to a new URL or to change from non-ssl to SSL) or any parameter, you must redeploy the identity source. The --deploy option is used to modify the identity source. Note: When redeploying the identity source, specify all the required parameters, not just the parameter that changed. 8: Accessing Users and Groups from an LDAP Directory 87

To modify an identity source: 1. Change directories to RSA_AM_HOME/utils. 2. Type the following (replacing the variables with the configuration parameters described in Option Flags for initialize-is on page 86): Note: The --ldap-name must be identical to the identity source you are changing, otherwise a new identity source is deployed instead of replacing the existing one. rsautil initialize-is --master-password master_password --deploy --ldap-name existing_ldap --ldap-url ldad/ldaps://newhostname.domain:port--ldap-user-id "cn=directory Manager" --ldap-password password Enabling Identity Sources in the RSA Security Console Perform the remaining tasks for integrating an LDAP directory in the RSA Security Console. In addition to the guidance provided in this section, see the Help topic Add Identity Sources. Adding the Identity Source For this part of the LDAP integration process, you use the RSA Security Console to provide information about your LDAP directory in order to map Authentication Manager operations to the actual named location of user and group data in your schema. Authentication Manager reads data from these locations, and writes data to them if you have configured the system for read/write operations. However, Authentication Manager never modifies the schema or adds to it in any way. This process requires you to enter values in fields on the Add Identity Source page of the RSA Security Console. Each completed value saves integration information to Authentication Manager. In particular, note these important parameters: Name. Defines the name for the identity source that is displayed to the administrator in the RSA Security Console. This is the same value you assigned for ldap_name when creating resource adapters Read-Only. Determines whether Authentication Manager is permitted to write to the LDAP directory. Select this box for read-only operations, or clear it for read/write operations. To add an identity source in the RSA Security Console: 1. Log on to the RSA Security Console as Super Admin. 2. Click Setup > Identity Sources > Add New. 3. Enter values in all fields. Move your cursor over the i icon for guidance on entering the correct values. 4. Click Save. 88 8: Accessing Users and Groups from an LDAP Directory

Linking an Identity Source to a Realm To enable administration of an identity source, you must link it to a realm for administration. Note: Do not configure multiple identity sources with overlapping scope in the same realm or across realms. For example, make sure two identity sources do not point to the same base DNs for user and group searches. For Active Directory, a runtime identity source can have overlapping scope with the corresponding administrative source(s), but two runtime identity sources cannot have overlapping scope. To link the new identity source to a realm: 1. Log on to the RSA Security Console as Super Admin. 2. Click Setup > Administration > Realms > Manage Existing. Note: You can also create a new realm. 3. Use the search fields to find the realm with which you want to work. 4. Click on the realm with which you want to work. 5. From the Context menu, click Edit. 6. From the list of available identity sources, select the identity sources you want to link with the realm, and click the right arrow. The names displayed are the values you entered when you added the identity source (see the previous section, Adding the Identity Source ). 7. Click Save. Verifying the LDAP Identity Source To verify that you have successfully added an identity source, you can view the particular users and groups from the LDAP identity source through the RSA Security Console. To verify the LDAP identity source: 1. Click Identity > Users > Manage Existing. 2. Use the search fields to find the appropriate realm and identity source, and click Search. 3. View the list of users from your LDAP identity source. 8: Accessing Users and Groups from an LDAP Directory 89

Removing an Identity Source Use caution when removing an identity source. This is an irreversible process. To remove an identity source: 1. In the RSA Security Console, delete any roles associated with the identity source. If you have created any roles in the realm after linking it to the identity source, whether you have assigned them to users or not, you must delete them before removing the identity source. 2. Remove all references linking the identity source with the realm as described in the following section, Unlinking an Identity Source from a Realm. 3. Use the Initialize Identity Source utility to undeploy the resource adapters as described in Undeploying the Resource Adapters on page 87. Unlinking an Identity Source from a Realm To disable an identity source, it must be unlinked from a realm. To unlink an identity source from a realm: 1. Log on to the RSA Security Console as an administrator. 2. Click Setup > Deployment > Realms > Manage Existing. 3. Use the search fields to find the realm with which you want to work. 4. Click on the realm with which you want to work. 5. From the Context menu, click Edit. 6. From the list of linked identity sources, select the identity source you want to unlink from the realm, and click the left arrow to unlink it. 7. Click Save. Identifying Orphaned LDAP Users After an LDAP user s DN has been changed, Authentication Manager can no longer retrieve that user. You need to periodically run the Orphaned Data Report to view the External Unique Identifiers (EXUID) for users who are no longer associated with their original DNs. EXUID is a directory-specific unique identifier that Authentication Manager can use to find users that have moved in the directory information tree of the directory server. 90 8: Accessing Users and Groups from an LDAP Directory

9 Installing the Authentication Manager MMC Extension MMC Extension Overview System Requirements and Prerequisites Installation Process Post-Installation MMC Extension Overview The RSA Authentication Manager 7.0 MMC Extension extends the Microsoft Active Directory Users and Computers Management (ADUC) snap-in. It extends the context menus, property pages, control bars, and toolbars to provide a convenient way for Windows Active Directory users to perform RSA SecurID token management. For more information on the administrative actions enabled by this extension, see the Administrator's Guide. System Requirements and Prerequisites Install the RSA Authentication Manager 7.0 MMC Extension only on the following platforms: Windows XP Professional SP1 or later with Windows Server 2003 Administration Tools Pack and Internet Explorer 6.0 or later installed Windows Server 2003 SP1 or later (if Active Directory is not available, install Windows Server 2003 Administration Tools Pack) with Internet Explorer 6.0 or later installed This prerequisite must be met for installation of the MMC Extension: The administrator running the installation for the MMC Extension setup program must have the appropriate administrative permissions in order to perform an installation. The appropriate level of permissions (for example, domain level) depends on your Windows network configuration. At minimum, the installing technician must be a domain administrator and a local machine administrator. 9: Installing the Authentication Manager MMC Extension 91

Installation Process Choose one of these installation processes depending on whether you want to administer locally on the Active Directory host or remotely from a Windows station. Installing the MMC Extension for Local Access Installing the MMC Extension for Remote Access Installing the MMC Extension for Local Access Use this installation process if you want to perform Authentication Manager administration through the MMC Extension directly on the host where Active Directory is installed. To install the MMC Extension on the Active Directory host: 1. Locate and launch the installer at client\mmc\rsammc.exe. 2. Respond to the prompts for Welcome, Select Region, and License Agreement. 3. At the prompt for Destination Location, either accept the default location or enter an alternative location. 4. For Authentication Manager server settings, enter your values for: Authentication Manager server hostname Authentication Manager server port number RSA Security Console URL Note: Replace the Security Console fully qualified name and port number with your actual values, but do not change console-am. 5. Review the Pre-installation screen, and click Next to continue. 6. Click Finish. Installing the MMC Extension for Remote Access To use the MMC Extension remotely from Windows XP or a Windows Server 2003 without Active Directory installed, make sure you meet these additional requirements before installing on the remote host: Windows Server 2003, with Active Directory installed, can be accessed from the Windows XP machine, and the Windows XP machine is part of the domain defined by the Windows Server 2003 machine. The administrator uses a domain user account to log on to the Windows XP machine. The administrator using the Windows Server 2003 administration pack to remotely administer the Active Directory is granted appropriate administrative permissions. The appropriate level of permissions (for example, domain level) depends on your Windows network configuration. 92 9: Installing the Authentication Manager MMC Extension

Windows Server 2003 Administration Tools Pack The Windows Server 2003 Administration Tools Pack (AdminPak.msi) installs a set of server administration tools onto a Windows XP Professional machine or Windows Server 2003 machine. This allows administrators to remotely manage both Windows 2000 as well as Windows Server 2003. The tools contained in the file are officially part of the Windows Server 2003 product, and AdminPak.msi installs them onto your Windows XP Professional or Windows Server 2003 machine. The file is available on the RSA Authentication Manager 7.0 DVD and download kit, or you can download the latest version from http://www.microsoft.com/downloads/details.aspx?familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en. To install the MMC Extension on the Active Directory host: 1. Install AdminPak.msi, and reboot the machine if necessary. 2. Locate and launch the installer at client\mmc\rsammc.exe. 3. Respond to the prompts for Welcome, Select Region, and License Agreement. 4. At the prompt for Destination Location, either accept the default location or enter an alternative location. 5. For Authentication Manager server settings, enter your values for: Authentication Manager server hostname Authentication Manager server port number Security Console URL Note: Replace the Security Console fully qualified name and port number with your actual values, but do not change console-am. 6. Review the Pre-installation screen, and click Next to continue. 7. Click Finish. Post-Installation After a successful installation, configure your Internet Explorer security settings and start the ADUC before administering Authentication Manager through the MMC Extension. Also, make sure: RSA Authentication Manager is installed and running. Active Directory is configured and registered as an identity source. See Chapter 8, Accessing Users and Groups from an LDAP Directory. The Windows user for the MMC Extension is a valid Active Directory administrator and a valid Authentication Manager administrative user. For more information on administrator and administrative permissions, see the Administrator s Guide. 9: Installing the Authentication Manager MMC Extension 93

Configuring Internet Explorer Security Settings Add the Security Console to your list of trusted sites, and make sure your security settings comply with the following requirements. To add the RSA Security Console deployment to your Internet Explorer list of trusted sites: 1. Open Internet Explorer on the machine hosting the MMC Extension. 2. Click Control Panel > Internet Options > Security > Local Intranet > Sites > Advanced, and enter the URL for your Security Console. For example: https://mypc.mydomain.com:7004/console-am 3. Click OK or Apply to save the changes. To configure Internet Explorer security settings: 1. In Internet Explorer, select Tools > Internet Options > Security. 2. Click Custom Level. 3. In Reset custom settings, select Medium from the drop-down menu, and click Reset. 4. In the options window, select enable for these two settings: Download signed ActiveX controls Launching programs and files in an IFRAME 5. Click OK > OK to return to Internet Options. 6. Close the browser, and open a new browser window for the Security Console. Starting the Active Directory User and Computer Management Console To use the MMC Extension for Authentication Manager administration, you must start the Active Directory User and Computer Management Console. Do one of the following: Click Control Panel > Administrative Tools > Active Directory Users and Computers. From a command prompt, run dsa.msc. 94 9: Installing the Authentication Manager MMC Extension

10Removing RSA Authentication Manager Removing RSA Authentication Manager Servers Removing a Server Node Removing a Replica Database Server Rebalancing Contact Lists Removing a Primary Database Server Removing RSA Authentication Manager Servers To remove all servers from a deployment, including server nodes, replica database servers, and the primary database server, remove the server nodes in this order: 1. Server nodes 2. Replica database servers 3. Primary database server For example, if you are removing a replica instance with server nodes, first remove the server nodes and then the replica database server. The order is important because you must remove server node information from the database server before removing the server node itself. In a replica database server removal, the reference information is removed automatically from the primary database server by the removal program. After removing server nodes from a replica instance or removing a replica database server, perform the tasks described in Rebalancing Contact Lists on page 99. Removing a Server Node GUI-Based Removal To remove a server node on Windows: 1. Make sure you have stopped all Authentication Manager services on the server node server. 2. From a command prompt on the host of the database server, change directories to RSA_AM_HOME/utils/. 3. Type: rsautil manage-nodes --action rem-node --node-host node_hostname 4. When prompted, enter your administration password. 10: Removing RSA Authentication Manager 95

Command Line Removal 5. At the prompt, enter your master password. The message Removing node from cluster appears. 6. Switch to the server node that you want to uninstall. 7. Open Control Panel > Add/Remove Programs. 8. On the listing for RSA Authentication Manager, click Remove. The GUI uninstaller program displays on your screen. 9. Restart the Authentication Manager on the primary instance. 10. Perform the tasks described in Rebalancing Contact Lists on page 99. To remove a server node on Linux: 1. Make sure you have stopped all Authentication Manager services on the server node server. 2. From a command prompt on the host of the database server, change directories to RSA_AM_HOME/utils/. 3. Type: rsautil manage-nodes --action rem-node --node-host node_hostname 4. At the prompt, enter your master password. The message Removing node from cluster appears. 5. Switch to the server node. 6. Change directories to RSA_AM_HOME/uninstall. 7. Type: uninstall The GUI uninstaller program displays on your screen. The removal program runs and then prompts you to run an important script as root user. 8. Run this script to finish removing Authentication Manager. 9. Reboot the server node. 10. Restart the Authentication Manager on the primary instance. 11. Perform the tasks described in Rebalancing Contact Lists on page 99. To remove a server node in command line mode: 1. Make sure you have stopped all Authentication Manager services on the server node server. 2. From a command prompt on the host of the database server, change directories to RSA_AM_HOME/utils/. 96 10: Removing RSA Authentication Manager

3. Type: rsautil manage-nodes --action rem-node node_hostname 4. At the prompt, enter your master password. 5. The message Removing node from cluster appears. 6. Switch to the server node. 7. Change to the directory RSA_AM_HOME/uninstall. 8. Invoke the uninstaller. Type: uninstall -console 9. (Linux Only) The removal program runs and then prompts you to run an important script as root user. Run this script to finish removing Authentication Manager. Then, reboot the server node. 10. Restart the Authentication Manager on the primary instance. 11. After removing server nodes from a replica instance, perform the tasks described in Rebalancing Contact Lists on page 99. Removing a Replica Database Server GUI-Based Removal Make sure Authentication Manager is running on the primary instance and the replica database server is able to connect to the primary database server before you begin removal. To remove on Windows: 1. Verify that the Authentication Server is running on the primary instance. 2. Click Start > Control Panel > Add/Remove Programs. 3. On the listing for RSA Authentication Manager, click Remove. The GUI uninstaller program displays on your screen. 4. At the prompts, select the components that you want to remove, and click Finish. 5. To verify that the replica database server has been successfully removed, at a command prompt on the primary database server, type: rsautil manage-replication a list Make sure the replica database server you removed does not display in this listing. 6. Perform the tasks described in Rebalancing Contact Lists on page 99. To remove on Linux: 1. Verify that the Authentication Server is running on the primary instance. 2. Change directories to RSA_AM_HOME/uninstall. 10: Removing RSA Authentication Manager 97

3. Type: Command Line Removal uninstall.sh The GUI removal program displays on your screen. 4. At the prompts, select the components that you want to remove, and click Finish. 5. The removal program runs and then prompts you to run an important script as root user. Run this script to finish removing Authentication Manager. 6. Reboot the replica instance host. 7. To verify that the replica database server has been successfully removed, at a command prompt on the primary database server, type: rsautil manage-replication a list Make sure the replica database server you removed does not display in this listing. 8. Perform the tasks described in Rebalancing Contact Lists on page 99. To remove Authentication Manager in command line mode: 1. Verify that Authentication Manager is running on the primary instance. 2. Invoke the uninstaller. For Windows type: uninstall -console For Linux type:./uninstall -console 3. (Linux only) The removal program runs and then prompts you to run an important script as root user. Run this script to finish removing Authentication Manager. Then, reboot the machine. 4. To verify that the replica database server has been successfully removed, at a command prompt on the primary database server, type: rsautil manage-replication a list Make sure the replica database server you removed does not display in this listing. 5. Perform the tasks described in Rebalancing Contact Lists on page 99. Manual Cleanup for Unsuccessful Removal If the primary database server is unavailable at removal time, you may receive the error message, Replica uninstall failed. You may need to perform manual replica cleanup on the primary. 98 10: Removing RSA Authentication Manager

To perform manual cleanup: 1. At a command prompt on the primary database server, type: rsautil manage-replication a remove-replica n name of the replica site 2. To verify that the replica database server has been successfully removed and cleanup has succeeded, type: rsautil manage-replication a list Make sure the replica database server you removed does not display in this listing. Rebalancing Contact Lists After you remove the replica database server and any server nodes from the replica instance, rebalance the contact lists in the primary instance RSA Security Console. This removes the references to the removed replica instances. To automatically update your contact lists: 1. Click Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance. 2. Click Rebalance. Removing a Primary Database Server GUI-Based Removal Make sure Authentication Manager is running before you begin removal. To remove on Windows: 1. Verify that the Authentication Server is running. 2. Click Start > Control Panel > Add/Remove Programs. 3. On the listing for RSA Authentication Manager, click Remove. The GUI uninstaller program displays on your screen. 4. At the prompts, select the components that you want to remove, and click Finish. To remove on Linux: 1. Verify that the Authentication Server is running. 2. Change directories to RSA_AM_HOME/uninstaller. 3. Type: uninstall.sh The GUI removal program displays on your screen. 4. At the prompts, select the components that you want to remove, and click Finish. 10: Removing RSA Authentication Manager 99

Command Line Removal 5. The removal program runs and then prompts you to run an important script as root user. Run this script to finish removing Authentication Manager. 6. Reboot the machine. To remove Authentication Manager in command line mode: 1. Verify that Authentication Manager is running. 2. Invoke the uninstaller. Type: uninstall -console 3. Select the components that you want to remove. 4. At the prompt, enter 1 to remove the components. 5. (Linux only) The removal program runs and then prompts you to run an important script as root user. Run this script to finish removing Authentication Manager. Then, reboot the machine. 100 10: Removing RSA Authentication Manager

A Troubleshooting Unsuccessful Installation or Removal Server Does Not Start RSA Security Console Does Not Start LDAP Identity Source Integration Unsuccessful MMC Extension Does Not Start Multicast Network Communication Fails Message Indicates Node Manager Service Not Started Unsuccessful Installation or Removal Viewing Installation Logs Perform these checks and tasks if the installer fails to run to completion. Authentication Manager records a log of an unsuccessful installation in a temporary directory: Temp/rsa_am_YYMMDDHHmmSS/rsa_am_install.log. For Windows, the log is in the folder specified by your %TEMP% environment variable. For Linux, the log is in /tmp. You can find the log for a successful installation at RSA_AM_HOME/install/rsa_am_install.log. An unsuccessful removal operation also creates a time-stamped uninstall log directory at Temp/rsa_am_YYMMDDHHmmSS/rsa_am_uninstall.log. Cleanup Script for Reinstallation (Windows Only) If you intend to perform an installation following a canceled or failed installation on a Windows system, first run the installer as described in Removing RSA Authentication Manager Servers on page 95. If the removal fails on a Windows system, make sure all servers are stopped, and run the cleanup script on your installation media at auth_mgr\win32-x86\bin\tools\cleanup.cmd. After you run this script on the target host, you can perform another installation of Authentication Manager. Cleanup for Linux Systems If you intend to perform an installation following a canceled or failed installation that did not roll back or was abruptly terminated on a Linux system, you need to go to the home directory of the user who performed the failed installation, and delete the ~/InstallShield directory. A: Troubleshooting 101

Obscured Error Messages The installer and removal programs may obscure error messages in a way that gives the appearance of an unresponsive installer. If the installer or removal programs appear to freeze, use ALT-TAB to determine if an error message window is open. For example, in case of a failed installation, there may be residual files left on your system. When you run the installer again, it may detect these files and prompt you whether to overwrite them. However, the error message may be obscured or minimized. If this situation occurs, click through all open windows or error messages, and select the option to allow the system to overwrite files. Server Does Not Start If one or all of the Authentication Manager services fail to start up, examine the following logs for information that may help you in troubleshooting the problem: Trace. Captures log messages that you can use to debug your system. System. Captures log messages that record system level messages. Both these logs can be found in RSA_AM_HOME/server. RSA Security Console Does Not Start The console may take a considerable time to start on its initial startup. This may extend to ten minutes in some cases. Using the Collect Product Information Utility If your console fails to start, use the Collect Product Information utility to gather information that may help you in troubleshooting the problem. You can use the import command option flag to view the information. If required, you can send the data package to RSA Customer Support for analysis. See Collect Product Information Utility on page 108. LDAP Identity Source Integration Unsuccessful If you are unable to verify your identity source in the RSA Security Console, log off and then log back on to the Security Console. If you still cannot verify the identity source, it is likely that an error was introduced into one of the values provided during the registration process. For instance, if you provided an invalid value for base DN, the identity source integration fails. Note: To check the base DN value, compare the value given in Setup > Identity Sources with the values shown in your directory server administration tools. These values must be identical. 102 A: Troubleshooting

To correct a failed integration, you must remove the identity source and re-register. To remove a failed LDAP identity source integration: 1. In the Security Console, delete any roles you associated with users in the identity source. If you did not create any roles for users stored in the identity source, you do not need to perform this step. 2. Unlink the identity source from the realm as described in Unlinking an Identity Source from a Realm on page 90. After completing these steps, begin again with the registration task, entering all values carefully and precisely. Note that all values are case-sensitive. MMC Extension Does Not Start Perform these tasks if the MMC Extension fails to start. 1. Try to start the Security Console in a web browser to see if you can log on and perform a standard operation such as listing a user assigned token. 2. Try to use the Windows user account to log on to the Security Console. If this fails, the appropriate administrative role is not assigned to the Windows user. 3. Check whether the current Windows user account used to launch the MMC is Domain and Local administrator. If not, assign the appropriate privilege to the Windows user, and restart the MMC. 4. Open the Windows registry to see whether you have read/modify permission to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\RSASecurity\ AuthenticationManager\MMC. 5. (Remote access users only) Check whether the client machine is part of the Active Directory domain. Multicast Network Communication Fails It may be difficult to detect whether server nodes in a cluster are communicating properly over the network. You might notice large numbers of expired JMS messages in the application server logs. Check the install dir\server\servers\servername_server.log file. You can use the Multicast Network Test utility, test-multicast, to troubleshoot problems that may occur as a result of deploying RSA Authentication Manager in a clustered environment. For more information, see Multicast Network Test Utility on page 114. A: Troubleshooting 103

Message Indicates Node Manager Service Not Started You might see the following message: Could not start the RSA Authentication Node Manager service on Local Computer. Error 1053: The service did not respond to the start or control request in a timely fashion Although the message gives the impression that the service cannot start, in fact, the service may simply be taking a very long time to start. To resolve, clear the error message and continue to check for the service to start. 104 A: Troubleshooting

B Command Line Utilities Manage Secrets Utility Collect Product Information Utility Manage SSL Certificate Utility Multicast Network Test Utility Generate Replica Package Utility Manage Nodes Utility Manage Secrets Utility The Manage Secrets utility exports or imports the encrypted properties file that contains the system fingerprint to or from a password-protected file. The exporting feature backs up a secured copy of the properties file encrypted by a password provided by the administrator. Using the importing feature, the administrator can unlock the properties file for disaster recovery. Note: The Manage Secrets utility is a password storage tool. This utility does not change the passwords for the services, it simply stores the passwords. It is the responsibility of the user to make sure that the passwords and user names in the properties file are kept in synchronization with the passwords set through the services. The encrypted passwords are stored in RSA_AM_HOME/utils/etc/systemfields.properties. Using the Manage Secrets Utility To use manage-secrets: 1. Change directories to RSA_AM_HOME/utils. 2. Type the following (replace the variables with the configuration parameters described in the following section, Option Flags for manage-secrets ): rsautil manage-secrets option flags Examples: To export the managed secrets into a file that will be used later to import them to a system: rsautil manage-secrets --action export --file myfile.exp -k file_password To import a file that was created by the --export option on either the same system or a different system: rsautil manage-secrets --action import --file myfile.exp -k file_password B: Command Line Utilities 105

To change the master password to a new value: rsautil manage-secrets -action change n new-master-password To restore the machine fingerprint for the password storage file: rsautil manage-secrets -action recover To load a number of keys (in bulk) from a plain text file into the secure storage: rsautil manage-secrets -action load f mysecrets.properties To list the stored secrets using localized (English) descriptions: rsautil manage-secrets -action list To display all properties by raw key name (not localized names): rsautil manage-secrets --action listkeys Note: This option can be used before you change a value using the --set or --get commands. The --set and --get commands accept the raw key name, not the localized name. To set a previously stored secret to a specified value: rsautil manage-secrets --action set com.rsa.appserver. admin.password administrator_password To get the value of a single stored secret by name: rsautil manage-secrets - action get secret.raw.key.name 3. Enter your master password when prompted. Option Flags for manage-secrets The following table describes the option flags for this utility. Flag Alternate Flag Description -m --master-password Master password for the encrypted properties file. 106 B: Command Line Utilities

Flag Alternate Flag Description -a --action Set this to one of the following: import. Imports a password-protected file to be system fingerprint-encrypted. A file can be imported to the same system or a different system. export. Exports a system fingerprint-encrypted file to a password-protected file. This is used for backup purposes or to transport the manage secrets to a new server node that is being bootstrapped. change. Changes a system fingerprint-encrypted file master password. This option only changes the password that is used by the command line utilites to open the fingerprint-encrypted file. It does not affect the machine fingerprint. recover. Recovers a system fingerprint-encrypted file using the master password. This may be necessary if the host machine is reconfigured with more memory, new IP addresses, or new disks. load. Loads a plain text properties file into an encrypted file. list. Displays all properties by localized (English) name. listkeys. Displays all properties by raw key name. set. Sets a property to a specified value. You must specify the name and value of the property to set. This can also be used to add a new secret in the secure storage. get. Lists the current value for a specified property. You must specify the name of the property to get. This option can be useful for scripting applications. -n --new-password New master password for the change action. -f --file Name of the password-protected file to import, export, or load. -k --file-password Password to lock or unlock the file. -h --help Prints help message. -X --debug Displays debug messages. -v --version Displays the version and copyright information. B: Command Line Utilities 107

Collect Product Information Utility Use the Collect Product Information utility, collect-product-info, to collect system information, such as system log files and version information. The information is used to diagnose the system for problems. This utility collects the information, packages it into a.jar file, and encrypts the file. The file is named product_info. The encrypted file must be e-mailed or transferred to the user analyzing the contents. The recipient must also use the Collect Product Information utility to decrypt the file. Note: The user must know the package password to decrypt the product_info file. Using the Collect Product Information Utility To run collect-product-info: 1. Change directories to RSA_AM_HOME/utils. 2. Type the following (replace the variables with the configuration parameters described in the following section, Option Flags for collect-product-info ): rsautil collect-product-info option flags For example: rsautil collect-product-info --export -t 2006-07-17 22:32:10.000 -p package_password 3. Enter your master password when prompted. Option Flags for collect-product-info The following table describes the option flags for this utility. Flag Alternate Flag Description --export --import Collects system information and exports it to an encrypted support package file. Decrypts a support package file. Note: The file must be located in the current working directory. -t --archive-time This is the archive time. The Authentication Manager logging files are retrieved from the data store after this local time stamp and until the current time. The format is yyyy-mm-dd hh:mm:ss.sss. Note: You must have double quotes around the archive time, and specify it in local 24-hour military time. If the archive time is not provided, log records from the previous hour are exported. -m --master-password Master password of the encrypted properties file. 108 B: Command Line Utilities

Flag Alternate Flag Description -p --package-password Password to encrypt or decrypt the support data package. -h --help Prints help message. -v --version Prints utility version information. Manage SSL Certificate Utility Use the Manage SSL Certificate utility, manage-ssl-certificate, to manage certificates signed by a trusted certificate authority (CA). This utility simplifies the following common administrative tasks associated with managing SSL keystores and certificates. The tasks must be performed in the specified order: 1. Generate public and private key pairs in a keystore. 2. Create certificate signing requests (CSR) that the user submits to a certificate authority (CA). 3. Import the root certificate of CA to the keystore. 4. Import the server certificate signed by CA to the keystore. 5. Update the application server configuration including the private key alias and password for the new certificate. Using the Manage SSL Certificate Utility To use manage-ssl-certificate: 1. Change directories to RSA_AM_HOME/utils. Note: Configuration parameters used in these steps are described in the following section, Option Flags for manage-ssl-certificate. 2. Generate public or private key pairs in the keystore. Make sure you choose a keypass value that is at least six characters long. Keep the value confidential. Type the following command: rsautil manage-ssl-certificate --genkey --alias alias --keypass keypass --dname certificate-distinguished-name --keystore keystore-file-path B: Command Line Utilities 109

For example: rsautil manage-ssl-certificate --genkey --alias myalias --keypass mykeypass --dname CN=myserver.mycompany.com,OU=AM,L=mycity,C=US --keystore "C:/Program Files/RSA Security/RSA Authentication Manager/server/security/myServerName.jks" Note: The certificate-distinguished-name is usually the name of the Authentication Manager server machine. 3. Create a certificate signing request (CSR). Use the same alias as in the previous step. Type the following command: rsautil manage-ssl-certificate --certreq --alias alias --keystore keystore-file-path --csr-file CSR-output-file-path For example: rsautil manage-ssl-certificate --certreq --alias myalias --keystore "C:/Program Files/RSA Security/RSA Authentication Manager/server/security/myServerName.jks" --csr-file c:/certificates/mycertreq.pem You can choose to combine this step with the previous one. For example: rsautil manage-ssl-certificate --generate-cert-request --alias myalias --keypass mykeypass --dname CN=myserver.mycompany.com,OU=AM,L=mycity,C=US --keystore "C:/Program Files/RSA Security/RSA Authentication Manager/server/security/myServerName.jks"--csr-file c:/certificates/mycertreq.pem 4. Import a CA root certificate to the keystore. Choose a value for the root certificate as the parameter ca-alias. Type the following command: rsautil manage-ssl-certificate --import --trustcerts --alias CAAlias --cert-file ca-certfile-path --keystore ca-keystore-file-path For example: rsautil manage-ssl-certificate --import --trustcerts --alias mycaalias --cert-file c:/certificates/mycacertificate.cer --ca-keystore "C:/Program Files/RSA Security/RSA Authentication Manager/server/security/myServerName.jks" 110 B: Command Line Utilities

5. Import a signed server certificate to the keystore. Use the same alias as in previous steps. You can omit the keypass if it is the same as in previous steps. Type the following command: rsautil manage-ssl-certificate --import --alias alias --cert-file certfile-path [--keypass keypass] --keystore keystore-file-path For example: rsautil manage-ssl-certificate --import --alias myalias --cert-file c:/certificates/myservercertificate.cer --keypass mykeypass --keystore "C:/Program Files/RSA Security/RSA Authentication Manager/server /security/myservername.jks" 6. Configure the server to use the new private key and key passphrase. You can omit the keypass if it is the same as in previous steps. The servername is the name of the server node (also known as the managed server). Type the following command: rsautil manage-ssl-certificate -config-server --alias alias [-keypass keypass] --server-name serverame For example: rsautil manage-ssl-certificate -config-server --alias myalias [-keypass mykeypass] --servername hostshortname_server Note: For the primary instance, you need to configure proxy_server and hostshortname_server. You can combine steps 4, 5, and 6 to import certificates and configure the server at the same time. Use the --update-server-certs option instead of --config-server. For example: rsautil manage-ssl-certificate -update-server-certs --ca-alias mycaalias --ca-cert-file c:/certificates/mycacertificate.pem --alias myalias --cert-file c:/certificates/myservercertificate.pem -keypass mykeypass --keystore "C:/Program Files/RSA Security/RSA Authentication Manager/server/security/myServerName.jks" --servername hostshortname_server 7. Enter your master password when prompted. 8. Restart the server for the config-server changes to take effect. Option Flags for manage-ssl-certificate The following table describes the option flags for this utility Flag Alternate Flag Description --genkey --alias --keypass Generates public and private key pairs. Alias for the key entry. Password for the key entry. B: Command Line Utilities 111

Flag Alternate Flag Description --dname --keystore Distinguished name of the certificate. Path of the keystore file. -m --master-password Master password of the encrypted properties file. --certreq --csr-file --alias --dname --keystore --keypass Creates certification signing on request (CSR). Path of the CSR output file (required). Alias for the key entry (required). Distinguished name of the certificate. Path of the keystore file. Password for the key entry (optional). -m --master-password Master password of the encrypted properties file. -g --generate-cert-request Generates key and CSR at the same time. --alias --keystore --keypass --dname Alias for the key entry (required). Path of the keystore file. Password for the key entry (required). Distinguished name of the certificate. -m --master-password Master password of the encrypted properties file. --csr-file --import --trustcacerts --alias --cert-file --keystore --keypass Path of the CSR output file (required). Imports CA and server certificates to the keystore. CA certificate flag (used only if importing a CA certificate). Alias for the key entry (required). Path of the signed (encoded ) certificate file from CA. Path of the keystore file. Password for the key alias (only if importing a server certificate). -m --master-password Master password of the encrypted properties file. 112 B: Command Line Utilities

Flag Alternate Flag Description --config-server --server-name --alias --keypass Configures the server node to use the new private key. Application server node name. Alias for the key entry. Password for the key entry (optional). -m --master-password Master password of the encrypted properties file. -u --update-server-certs Imports the CA and the server certificates, and the updates to the application server configurations at the same time. --ca-alias --ca-cert-file --alias --cert-file --keystore --keypass Alias for the CA certificate. CA certificate file. Alias for the key entry. Path of the encoded, signed certificate file from CA. Path of the keystore file. Password for the key alias (only for server certificate, optional). -m --master-password Master password of the encrypted properties file. --server-name Application server node name. --list Lists one or more entries in the keystore. --alias --keystore Alias for the key entry (optional). Path of the keystore file. -m --master-password Master password of the encrypted properties file. --printcert --cert-file Displays the certificate file information. Name of certificate file. -h --help Prints usage information. -v --version Displays version information. -x --dubug Displays debugging information. B: Command Line Utilities 113

Multicast Network Test Utility Utility Messages Use the Multicast Network Test utility, test-multicast, to troubleshoot problems that may occur as a result of deploying RSA Authentication Manager in a clustered environment. The utility verifies whether multiple machines can communicate with each other over the network using multicast. Server nodes in a cluster must be in the same subnet as the primary database server and must be able to communicate. If the utility finds that two machines can communicate successfully, the problem does not lie in the network configuration. The utility displays ping-like messages verifying that the specified hosts can exchange messages. Normal execution messages are similar to these: I (server100) sent message num 507 Received message 507 from server100 The utility displays an error message only if something is wrong, such as the port is in use or the resource is unavailable. You must also know: If a host is misconfigured, the utility displays only the sending messages, not the receiving ones. The utility uses a multicast address which, unlike a regular IP address, is not assigned to a single machine. A multicast address causes the message to propogate throughout the subnet. Any host with a listener open on that multicast address can receive the message. Examples You can run the Multicast Network Test utility on multiple hosts in any order. For example, on the primary instance, you might type this command: rsautil test-multicast --name Primary --address 237.1.2.3 The following messages appear: I (Primary) sent message num 1 Received message 1 from Primary On the replica instance, you might type this command: rsautil test-multicast --name Replica --address 237.1.2.3 The following messages appear: I (Replica) sent message num 1 Received message 1 from Replica Received message 2 from Primary The primary instance begins to receive these messages from the replica instance: I (Primary) sent message num 2 Received message 1 from Replica 114 B: Command Line Utilities

Using the Multicast Network Test Utility To run test-multicast: 1. Change directories to RSA_AM_HOME/utils, and type the following (replace the variables with the configuration parameters described in the following section, Option Flags for test-multicast ): rsautil test-multicast --name --address For example, the command for a multicast test on MyServer on IP 237.1.2.3 and default port 7001: rsautil test-multicast -name MyServer - address 237.1.2.3 2. Review the output to verify that messages are sent and received. Normal output: I (MyServer) sent message num 507 Received message 507 from Myserver 3. To stop testing, type: CTRL-C Until you stop it manually, the utility continues testing the connection. Option Flags for test-multicast The following table describes the option flags for this utility. Flag Alternate Flag Description -n --name Required. Arbitrary system identifier used in test. Good values include the system hostname or IP address. -a --address Required. The multicast IP address. Use the Authentication Manager multicast IP, 230.1.2.3, for testing. -o --port The multicast port. Default: 7001. -t --timeout The idle timeout. -s --send-pause The pause between sending packets in seconds. Default: 2. -c --interface Address of interface card (NIC) to use. If none is specified, attempts to use default NIC. Use this option if Authentication Manager is being deployed on multiple NICs. -l --time-to-live Time-to-live of packets (number of hops). Default: 1. -i --interactive Interactive mode. -v --version Prints version information. -h --help Prints help messages. B: Command Line Utilities 115

Generate Replica Package Utility Use the Generate Replica Package utility, gen-replica-pkg, to gather information from the primary database server and make it available to the replica database server host. This information is required when you add a replica to your deployment. Important: Generating a data file requires up to two times the disk space used by the data. Online and Offline Synchronization When generating a replica package you can choose whether to generate a primary data file (a snapshot of data in the primary instance) for later offline synchronization. Online synchronization. This method transfers all data from the primary database server to the replica instance over a network connection. Offline synchronization. This method transfers only administrative data over a network connection. The replica instance is initialized with the data from the replica package. You can use this method only if you generated a primary data file. If your system has been active long enough to accumulate a large amount of data, and the connection speed between your primary database server and replica database server host is limited, you might decide to use offline synchronization to speed up your replica instance deployment. Using the Generate Replica Package Utility To create a replica package for offline synchronization: 1. From a command prompt on the host of the primary database server, change to RSA_AM_HOME/utils/. 2. Type: rsautil gen-replica-pkg -t hostname [-u admin_username][-g] where: hostname is the fully qualified hostname of the replica database server host. admin_username is the Super Admin user name. The default is admin. -g indicates that you want to generate the primary data file as part of the replica package, to use for offline synchronization during installation. Note: Configuration parameters used in these steps are described in the following section, Option-Flags for gen-replica-pkg. 3. If you did not enter -g, when prompted, indicate if you will use offline synchronization. 116 B: Command Line Utilities

4. Enter the Super Admin password when prompted. 5. Enter your master password when prompted. By default, this is the same as the Super Admin password, unless the Super Admin password was changed after installation. The message Successfully generated hostname-replica.pkg appears. The replica package will be output to the current directory as hostname-replica.pkg. Option-Flags for gen-replica-pkg Flag Alternate Flag Description -g --generate-data Indicates you want to generate the primary data file as part of the replica package, to allow offline data synchronization during installation. Optional. -o --overwrite-pkg Overwrites replica package if one exists. -I --interactive Enters all values interactively. -m --master-password Master password for the encrypted properties file. -t --host Fully-qualified hostname of the new replica host. -u --admin-uid Administrator s User ID. Default: admin. -p --admin-password Administrator s password. -v --version Displays the version information. -h --help Displays help information. Manage Nodes Utility Use the Manage Nodes utility to gather information from the primary or replica database server and make it available to the server node host. Using the Manage Nodes Utility To create a node package file using the Manage Nodes utility: 1. From a command prompt on the host of the database server, change to RSA_AM_HOME/utils/. B: Command Line Utilities 117

2. Type: rsautil manage-nodes --node-host hostname --action add-node where hostname is the fully qualified host name of the server node host. Note: See the following section, Option-Flags for gen-replica-pkg, for complete information on the option flags. 3. At the prompt, enter your master password. The message Adding node to cluster appears. 4. Verify that the directory contains a file named hostname-node.pkg, where hostname reflects the hostname value you specified for the --node-host argument. Option-Flags for manage-nodes Flag Alternate Flag Description -n --node-host Fully qualified hostname of the new cluster node. -i --node-ip IP address for the new cluster node (optional). -m --master-password Master password for the encrypted properties file. -u --admin-uid Administrator s User ID. Default: admin. -p --admin-password Administrator s password. -I --interactive Allows you to enter all values interactively. -o --overwrite Overwrites the existing node package. -a --action add-node rem-node list-nodes Adds a server node to the cluster. Removes a server node from the cluster. Lists the server nodes in this cluster. -v --version Displays the version information. -h --help Displays help information. 118 B: Command Line Utilities

Glossary Term Active Directory Active Directory forest AD adjudicator administrative command administrative role administrator Advanced Encryption Standard (AES) Advanced license AES agent Agent Auto-Registration Service agent host Definition The directory service that is included with Microsoft Windows Server 2003 and Microsoft Windows 2000 Server. A federation of identity servers for Windows Server environments. All identity servers share a common schema, configuration, and Global Catalog. See Active Directory. A component that defends Authentication Manager against replay attacks in which an intruder attempts to reuse an old passcode or acquires the current passcode for a token and sets the system clock back to use the captured passcode. A command other than a system-generated command. A collection of permissions and the scope within which those permissions apply. Any user with one or more administrative roles that grants administrative permission to manage administrative resources. The current cryptographic standard, adopted by the National Institute of Standards and Technology (NIST) in November, 2001. AES replaces Data Encryption Standard (DES) because it is considered to be more secure. Authentication Manager license that allows a primary instance, multiple replica instances, and multiple server nodes. See Advanced Encryption Standard. A software application installed on a device, such as a domain server, web server, or desktop computer, which enables authentication communication with Authentication Manager on the network server. A utility included in the RSA Authentication Agent software that enables you to automatically register new authentication agents in the internal database, and updates the IP addresses for existing agents. The machine on which an agent is installed. Glossary 119

Term Agent Protocol Server attribute attribute mapping audit information audit log authentication authentication authority authentication broker authentication method authentication policy authentication protocol Authentication Server Definition The Authentication Manager component that manages the ACE protocol packet traffic to and from agents. The inbound request packets are routed to the appropriate message handler. The response packets are sent to the originating agent. A characteristic that defines the state, appearance, value, or setting of something. In Authentication Manager, attributes are values associated with users and user groups. For example, each user group has three standard attributes called Name, Identity Source, and Security Domain. The process of relating a user or user group attribute, such as User ID or Last Name, to one or more identity sources linked to a given realm. No attribute mapping is required in a deployment where the internal database is the primary identity source. Data found in the audit log representing a history of system events or activity including changes to policy or configuration, authentications, authorizations, and so on. A system-generated file that is a record of system events or activity. The system includes four such files, called the Trace, Administrative, Runtime Audit,and System logs. The process of reliably determining the identity of a user or process. The central entry point for authentication services. A component that handles the authentication process and issuance of authentication tickets. The type of procedure required for obtaining authentication, such as a one-step procedure, a multiple-option procedure, or a chained procedure. A collection of rules that specify the authentication requirements. An authentication policy may be associated with one or more resources. The convention used to transfer credentials of a user during authentication. For example, HTTP-BASIC/DIGEST, NTLM, Kerberos, and SPNEGO. An Authentication Manager component made up of services that handle authentication requests, database operations, and connections to the RSA Security Console. 120 Glossary

Term authenticator authorization authorization data auto-registration Base license cache certificate chained authentication CIDR Classless Inter-Domain Routing (CIDR) client time-out CLU cluster Definition A mechanism for users to verify their identity to the Authentication Manager. This can be either hardware (for example, RSA SecurID) or software (for example, RSA SecurID software token). The process of determining if a user is allowed to perform an operation on a resource. A container of information defined by the provisioning server, which is necessary to complete the provisioning of a CT_KIP ready token. Authorization data includes the appropriate serial number and places the new token credentials in the Authentication Manager database. A setting which, if enabled, permits unregistered users to become registered upon a successful authentication to a system-managed resource. If auto-registration is disabled, only an administrative action can register users. Also see registered user and unregistered user. Authentication Manager license that allows one primary instance and one replica instance. Also see Advanced license. A type of computer memory with fast access time that is used for storing frequently used instructions or data. Users cannot directly interact with the cache. An asymmetric key that corresponds with a private key. Either self-signed or signed with the private key of another certificate. The process of creating a strong form of authentication by combining two weaker forms. For example, the user is required to use a PIN and a tokencode. See Classless Inter-Domain Routing. A bitwise, prefix-based standard for the interpretation of IP addresses. CIDR replaces the old A, B, and C address scheme for more efficient allocation of IP addresses. The amount of time (in seconds) that the user s desktop can be inactive before reauthentication is required. See command line utility. An instance consisting of a database server and one or more server nodes. Glossary 121

Term command line utility (CLU) connection pool contact list context-based authentication core attributes cryptographic algorithm CT-KIP CT-KIP client CT-KIP enabled token CT-KIP protocol messages CT-KIP protocol transport binding CT-KIP server Definition A utility that provides a command line user interface. A group of identical database connections between Authentication Manager and the data store. A list of server nodes provided by the Authentication Manager to the agent, where the agent can direct authentication requests. An authentication sequence in which the system presents the user with only the authentication options that are appropriate for the User ID entered. The options are based on policy requirements and the authenticators that the user owns. The fixed set of attributes commonly used by all RSA Security products to create a user. These attributes are always part of the primary user record, whether the deployment is in an LDAP or RDBMS environment. You cannot exclude core attributes from a view, but they are available for delegation. A mathematical function that uses plain text as the input and produces cipher text as the output and vice-versa. It is used for encryption and decryption. Cryptographic Token-Key Initialization Protocol. A program that implements the CT-KIP client-side protocol and interacts with a CT-KIP server for the secure initialization of tokens. A token that is capable of storing the authorization data and seed generated as a result of CT-KIP operations between a CT-KIP 1.0 client and an RSA Authentication Manager 7.0 CT-KIP server. The Protocol Data Units (PDU) exchanged between client and server in order to generate a seed on both server and client. Specifies a binding of the CT-KIP message interaction such as requests and responses to a transport protocol such as HTTP. A software component of Authentication Manager that implements the CT-KIP server-side protocol and interacts with a CT-KIP client application for the secure initialization of tokens. 122 Glossary

Term CT-KIP toolkit customer name data encryption standard operation (DES) data store Data Transfer Object (DTO) database server delegated administration denial of service deployment DES DTO dump EAP emergency access emergency access passcode Definition An implementation of the CT-KIP client-server protocol. It provides the API for creating CT-KIP server or client applications. The name of the enterprise to which the license is issued. The cryptographic standard prior to November 2001, when the National Institute of Standards and Technology (NIST) adopted the Advanced Encryption Standard (AES). A data source such as a relational database (Oracle or DB2) or directory server (Sun Java System Directory Server or Microsoft Active Directory). Each type of data source manages and accesses data differently. Simple object used to pass data between tiers. It does not contain business logic. The server where the database is installed. A scheme for defining the scope and responsibilities of a set of administrators. It permits administrators to delegate a portion of their responsibilities to another administrator. The result of barraging a server with requests that consume all the available system resources, or of passing malformed input data that can cause the system to stop responding. The arrangement of Authentication Manager elements into appropriate locations in a network to perform authentication. See data encryption standard operations. See data transfer object. An RSA ACE/Server format used to back up, restore, and merge database information. A dump file is a binary data file that contains all database tables and columns in table-dependency order. See extensible authentication protocol. The process for enabling a token for a user whose token is not available or is not functioning. Used in connection with offline authentication access. A complete authentication code that, if enabled, can be used by a user to perform an offline authentication without an authenticator or PIN. Glossary 123

Term emergency access tokencode Evaluation license extensible authentication protocol (EAP) external attributes failover mode floating license four-pass CT-KIP Global Catalog graded authentication high-water-mark identity attribute definitions Definition A partial authentication code that, if enabled, can be used by a user to perform an offline authentication without an authenticator. The user is required to provide his or her PIN. Authorizes an evaluation copy of the product at a customer site. An authentication protocol that supports multiple authentication methods, including one-time passcodes used for RSA SecurID authentication. Customer-defined attributes for which the value is dynamically derived through a callout function (class). These are necessary for RSA ClearTrust backward compatibility. You can report and query on these attributes. Refers to the state in which the connection pool management service has to use the secondary connection pools for serving the connection requests, because the primary connection pools are not available due to the failed primary. An enterprise license that is not attached to any particular product and instance combination. It can apply to any machine running the product. The exchange of two protocol data units (PDUs) between the client and server. A read-only, replicated repository of a subset of the attributes of all entries in a forest. A mechanism for noting the relative strengths of authentication methods (either individually or as combinations). For example, an RSA SecurID token is better than a user name and password. Equivalently ranked methods may be used interchangeably. The highest numbered interval used by a user to authenticate. Customer-defined attributes that are mapped to an existing customer-defined schema element. They are always stored in the same physical repository as the user s or user group s core attribute data. You can search, query, and report on these attributes. Each identity attribute definition must map to an existing attribute in the LDAP or RDBMS. 124 Glossary

Term Identity Management Services identity source IMS initial time-out instance instance ID instance name interval internal database J2EE Java Cryptographic Architecture (JCA) Java Cryptographic Extensions (JCE) Definition The set of shared components, toolkits, and services used to build RSA Security products, for example, Authentication Manager. A data store containing user and user group data. The data store can be the internal database or an external directory server, such as Sun Java System Directory Server or Microsoft Active Directory. See Identity Management Services. The wait time, in seconds, before the initial remote access prompt appears. (The term is used in relation to remote RSA SecurID authentication.) A single database server, or a database server and one or more server nodes, acting as a single cohesive processing unit. This ID identifies a single logical installation of a product or component. For example, in a non-clustered environment, it identifies the database server. In a clustered environment, it identifies the database server and the entire cluster of server nodes. Likewise for web agents, a single agent may have a unique instance ID or an entire server farm may share a single instance ID. The name assigned to an instance. It is either the hostname where a single server node is installed or the cluster name where the clustered instance is installed. A value used to represent a specific time-based PRN code being generated by an authenticator. The Authentication Manager proprietary data source. Java 2 Enterprise Edition. A framework for building enterprise applications using Java technology. The set of APIs provided by the Java 2 platform that establishes the architecture and encapsulates limited cryptographic functionality from various cryptographic providers. The set of APIs provided by the Java 2 platform that encapsulates additional cryptographic functionality from various cryptographic providers. Glossary 125

Term Java Management Extensions (JMX) Java Messaging Service (JMS) Java Server Pages (JSP) JCA JCE JKS JMS JMX JSP keystore Key Management Key Management encryption key LAC license license category license creation date license deployment license file Definition The set of APIs provided by the Java 2 platform that enables building distributed, web-based, dynamic and modular solutions for managing and monitoring devices, applications, and service-driven networks. A standard Java interface for interacting with message queues and topics. A commonly used technology for dynamic web content. See Java Cryptographic Architecture. See Java Cryptographic Extensions. The Java 2 platform implementation of a keystore provided by Sun Microsystems. See Java Messaging Service. See Java Management Extensions. See Java Server Pages. The Java 2 platform facility for storing keys and certificates. The management of the generation, use, storage, security, exchange, and replacement of cryptographic keys. The key used for encryption or decryption operations of keys managed by Key Management Services. See Local Authentication Client. A verifiable piece of information that represents permission from RSA Security to use Authentication Manager, its features, or both. A license is a component of the License Management Service. A way of grouping different types of licenses. Base license, Advanced license, and Evaluation license are the three license categories. The date when the license file was created. Specifies either a server or floating license. An XML file containing license data that is common across all IMS-based products. The categories of data are: client, product, and feature. A license file is a component of LMS. 126 Glossary

Term license file version license ID License Management Service (LMS) license.rec LMS Local Authentication Client (LAC) locked license lockout policy log archival logging service lower-level security domain Management Information Base (MIB) MD5 member user Definition The version of the license schema to which the generated license conforms. An internal identifier associated with the license. RSA Manufacturing assigns the license ID. A service responsible for managing and validating software licenses. A license record file containing the database key needed to extract critical information from the DMP file. See License Management Service. An RSA Authentication Agent component that requires users to enter valid RSA SecurID passcodes to access their Microsoft Windows desktops. A license limited to a specific server instance. See server license. A set of conditions specifying the conditions under which an account is locked and whether the account must be unlocked by an administrator or will unlock on its own after a designated amount of time. Lockout policies are applied to security domains. Creates a backup copy of the log for noncurrent, permanent storage. A component responsible for recording system, audit, and trace events. In a security domain hierarchy, a security domain that is nested within another security domain. A type of virtual database used to manage the devices (switches and routers, for example) in a communication network. For example, SNMP uses MIB to specify the data in a device subsystem. An algorithm that produces a 128-bit message digest. A user who is a member of a member user group. Glossary 127

Term member user group MIB Microsoft Management Console (MMC) MMC namespace Network Management System (NMS) NEXUS NMS NMS administrator node secret object offset PAM passcode Definition A user group that is a member of another user group. For example, an organization might define a Sales Managers user group within a North America user group. All member user groups must belong to the same identity source as the parent group, with one exception: any user group from any identity source can be assigned to a parent group that is stored in the internal database. See Management Information Base. A user interface through which system administrators can configure and monitor the system. See Microsoft Management Console. A set of names. A namespace defines a scope for a collection of names. Software used to manage and administer a network. The NMS uses SNMP to monitor networked devices and is responsible for polling and receiving SNMP traps from agents in the network. The external marketing name for the RSA Security Identity and Access Management vision and strategy. NEXUS is not a product. See Network Management System. The person monitoring the network (through the NMS) for significant events. Also known as a network administrator. A long-lived symmetric key that the agent uses to encrypt the data in the authentication request. Authentication Manager generates the authentication request when a user makes a successful authentication attempt. The node secret is known only to the Authentication Manager and the agent. Describes the following: security domains, identity sources, attributes, users, user groups, administrative roles, and policies. A value used to represent the amount of time an authenticator s internal clock has drifted over time. See Pluggable Authentication Modules. A code entered by a user to authenticate. The passcode is a combination of a PIN and a tokencode. 128 Glossary

Term password-based encryption password policy PDU permissions Pluggable Authentication Modules (PAM) primary connection pool primary instance private key PRN Protocol Data Unit provisioning data pseudorandom number (PRN) public key RADIUS Definition The process of obscuring information so that it is unreadable without knowledge of the password. A set of specifications that define what constitutes a valid password and the conditions under which the password expires. Password policies are applied to security domains. See Protocol Data Unit. Specifies which tasks an administrator is allowed to perform. Mechanisms that allow the integration of new authentication methods into an API, independent of the existing API authentication scheme. Refers to the connection pools containing the connections to the primary instance database server. The instance of the Authentication Manager software installation at which authentication and all administrative actions occur. In asymmetric key cryptography, the cryptographic key that corresponds to the public key. The private key is usually protected by some external mechanism (for example, smart card, password encrypted, and so on). See pseudorandom number. A packet of data exchanged between two application programs across a network. The provisioning server-defined data. This is a container of information necessary to complete the provisioning of a token device. Its format is not specified by CT-KIP because it is outside the realm of CT-KIP, but it is necessary for provisioning. A random number or sequence of numbers derived from a single seed value. In asymmetric key cryptography, the cryptographic key that corresponds with the private key. The public key is usually encapsulated within a certificate. See Remote Authentication Dial-In User Service. Glossary 129

Term realm regular time-out Remote Authentication Dial-In User Service (RADIUS) remote EAP (extensible authentication protocol) remote post-dial replica instance RSA Security Console Definition An entire security domain hierarchy consisting of a top-level security domain and all of its lower-level security domains. A realm includes all of the objects managed within the security domain hierarchy (users, tokens, and password policies, for example). Each realm manages users and user groups in one or more identity sources. The number of seconds before remote access prompts time out. The term is used in relation to remote RSA SecurID authentication. A UDP-based protocol for administering and securing remote access to a network. A remote authentication feature that requires users to submit RSA SecurID passcodes in order to open remote connections to the network. EAP has a graphical user interface and enhanced security and is supported in both Point-to-Point Protocol (PPP) authentication environments and non-ppp authentication environments, including Point-to-Point Tunneling Protocol (PPTP) VPN connections, 802.1x wired, and 802.11 wireless connections, and other specialized network media. Refers to the dial-in Point-to-Point Protocol (PPP) authentication support. With a post-dial terminal-based connection, when remote users dial in, a terminal-like character interface presents a simple user name and passcode prompt. If the right passcode is entered, the PPP connection is established. If the wrong passcode is entered, the dial-up connection is severed. The instance of the Authentication Manager software installation at which authentication occurs and at which an administrator can view the administrative data. No administrative actions are performed on the replica instance. All administrative actions are performed on the primary instance. A user interface through which the user performs tasks using Authentication Manager. RSA Security EAP The RSA Security implementation of the EAP 15 authentication protocol that facilitates RSA SecurID authentication to networks in PPP, PPTP (VPN), and 802.1x (wireless or port access) environments. 130 Glossary

Term Definition RSA Security Protected OTP The RSA Security implementation of the EAP 32 authentication protocol that facilitates RSA SecurID authentication to networks in PPP, PPTP (VPN), and 802.1x (wireless or port access) environments. runtime runtime command runtime identity source scope secondary connection pool Secure Sockets Layer (SSL) security domain server license server node session Describes automated processing behavior behavior that occurs without direct administrator interaction. A logon or logoff command. The runtime representation of the identity source. Runtime identity sources are used during runtime operations, such as authentication and group membership resolution instead of the corresponding administrative source, which is used for all other operations. This is an integral part of Active Directory forest support, which uses the Global Catalog during runtime operations. In a realm, the security domain or domains within which a role s permissions apply. Refers to the connection pools containing the connections to the secondary data stores. A protocol that uses cryptography to enable secure communication over the Internet. SSL is widely supported by leading web browsers and web servers. A container that defines an area of administrative management responsibility, typically in terms of business units, departments, partners, and so on. Security domains establish ownership and namespaces for objects (users, roles, permissions, and so on) within the system. They are hierarchical. A non-floating license that is associated with the product and instance for which it is installed. The license applies to the specific instance hosting the product. An installation of Authentication Manager on a single server host. Each instance has one server node that contains the internal database. You can add additional server nodes to an instance. The additional server nodes cannot operate alone because they do not contain the internal database. An encounter between a user and a software application that contains data pertaining to the user s interaction with the application. A session begins when the user logs on to the software application and ends when the user logs off of the software application. Glossary 131

Term session policy SHA1 Simple Network Management Protocol (SNMP) single sign-on (SSO) snap-in SNMP SNMP Agent SNMP trap SSL SSO Super Admin symmetric key system event system log Definition A set of specifications designating the restrictions on overall session lifetime and multiple session handling. Session policies are applied to an instance. A secure hash algorithm function that produces a 160-bit hash result. A protocol for exchanging information about networked devices and processes. SNMP uses MIBs to specify the management data, and then uses the User Datagram Protocol (UDP) to pass the data between SNMP management stations and the SNMP agents. The process of requiring only a single user authentication event in order to access multiple applications and resources. A software program designed to function as a modular component of another software application. For example, the MMC has a variety of snap-ins that offer different functionality (for example, Device Manager). See Simple Network Management Protocol. Software module that performs the network management functions requested by network management stations. An asynchronous event that is generated by the agent to tell the NMS that a significant event has occurred. SNMP traps are designed to capture errors and reveal their locations. See Secure Sockets Layer. See single sign-on. An administrator who has all permissions within the system. A Super Admin: Can create and delete realms Can link identity sources to realms Has full permissions within any realm Can assign administrative roles within any realm A key that allows the same key value for the encryption and decryption of data. System-generated information related to nonfunctional system events such as server startup and shutdown, failover events, replication events, and so on. Persistable store for recording system events. 132 Glossary

Term TACACS+ Terminal Access Controller Access Control System+ (TACACS+) token tokencode top-level security domain trace log two-factor authentication two-pass CT-KIP UDP user User Datagram Protocol (UDP) user group User ID Definition See Terminal Access Controller Access Control System+. A remote authentication protocol that is used to communicate with an authentication server. Allows a remote access server to communicate with an authentication server in order to determine if a user has access to the network. A hardware device or software program that generates a pseudorandom number that is used in authentication procedures to verify a user s identity. The random number displayed on the front of a user s RSA SecurID token. Tokencodes change at a specified time interval, typically every 60 seconds. The top-level security domain is the first security domain in the security domain hierarchy (realm). The top-level security domain is unique in that it links to the identity source or sources and manages password, locking, and authentication policy for the entire realm. Persistable store for trace information. An authentication protocol requiring two different ways of establishing and proving identity. The exchange of one protocol data unit (PDU) between the client and server. See User Datagram Protocol. An account managed by the system that is usually a person, but may be a computer or a web service. A protocol that allows programs on networked computers to communicate with one another by sending short messages called datagrams. A collection of users, other user groups, or both. A character string that the system uses to identify a user attempting to authenticate. Typically a User ID is the user s first initial followed by the last name. For example, Jane Doe s User ID might be jdoe. Glossary 133

Index A access control, 20 Active Directory, 19 definition, 119 forest, 78 forest, definition, 119 Global Catalog, 78 group membership, 84 large deployment example, 37 MMC Extension, 91 password policy, 84 starting console, 94 Active Directory forest definition, 119 adjudicator definition, 119 administrative command definition, 119 administrative identity source, 78 administrative role definition, 119 administrator definition, 119 Advanced license definition, 119 agent contact lists, 99 definition, 119 documentation, 11 download software, 20 supported, 20 Agent Auto-Registration Service definition, 119 agent host definition, 119 Agent Protocol Server definition, 120 attribute definition, 120 attribute mapping definition, 120 audit information definition, 120 audit log definition, 120 authentication definition, 120 authentication authority definition, 120 Authentication Manager certificate and key, 40, 48, 55 installation requirements, 17 installing with console, 40, 49, 56 installing with GUI, 39, 40, 47, 49, 54, 56 license, 20 pre-installation checklist, 21, 22 server fails to start, 102 silent installation, 42 starting, 65 starting services on Windows, 64 stopping, 65 stopping services on Windows, 64 system architecture, 11 user for Linux installation, 22 authentication policy definition, 120 Authentication Server, 11 definition, 120 authenticator definition, 121 authorization definition, 121 authorization data definition, 121 auto-registration definition, 121 B backup post-installation, 43, 52, 59 standalone primary instance, 61 Base license definition, 121 browser security, 19 support, 19 Index 135

C cache definition, 121 certificate definition, 121 LDAP, 73 manage, 109 SSL requirements, 69 SSL-LDAP, 19 chained authentication definition, 121 checklists planning your deployment, 27 pre-installation, 21, 22 clocks, synchronizing, 45 CLU Collect Product Information, 108 Generate Replica Package, 116 Initialize Identity Source, 84 Manage Nodes, 117 Manage Secrets, 105 Manage SSL Certificate, 70, 109 Multicast Network Test, 114 CLU. See Command Line Utility cluster definition, 121 Collect Product Information utility, 102 command line operations installation, 40, 49, 56 removing a primary instance, 100 removing a replica instance, 98 removing a server node, 96 command line utility definition, 122 compatibility, Authentication Agents, 20 components, 11 connection pool definition, 122 contact list definition, 122 rebalancing, 52, 99 context-based authentication definition, 122 core attributes definition, 122 Cryptographic Token-Key Initialization Protocol client, 122 enabled token, 122 server, 122 toolkit, 123 CT-KIP post-installation configuration, 74 CT-KIP. See Cryptographic Token-Key Initialization Protocol D data store definition, 123 data store, supported, 19 Data Transfer Object definition, 123 data, user and group, 19 database, 11, 19, 21, 23 data replication, 13 encryption, 63 internal, 11 database server definition, 123 primary, 12 replica, 12 delegated administration definition, 123 deployment checklist, 27 definition, 123 example, 34 large, 37 medium, 35 model, 27 process illustration, 32 small, 34 DHCP, 21 disk space, 17 DN configuring, 16 modifying, 90 DTO. See Data Transfer Object dump file definition, 123 E emergency access definition, 123 emergency access passcode definition, 123 emergency access tokencode definition, 124 example deployment, 34 External Unique Identifier (EXUID), 90 136 Index

F failover, 12, 34, 35, 78 failover mode definition, 124 Firefox, 19 G Generate Replica Package utility, 45, 116 Global Catalog definition, 124 mapping to identity source, 78 graded authentication definition, 124 group data, 19 GUI-based install, 39, 47, 54 GUI-based uninstall, 95 H hardware requirements, 17 I identity attribute definitions definition, 124 Identity Management Services definition, 125 identity source, 11, 16, 75 adding, 88 administrative, 78 connecting with resource adapters, 78 definition, 125 deleting, 90 enabling in the RSA Security Console, 88 linking to realm, 89 modifying, 87 runtime, 78 supported, 19 troubleshooting, 102 IMS. See Identity Management Services Initialize Identity Source utility, 16, 84 installation fails to complete, 101 logs, 101 planning, 27 post-install tasks, 61 primary instance, 39 process, 27 reinstallation cleanup script, 101 replica instance, 45 server node, 53 network configuration, 14 silent mode, 42 type, 11 instance, 11 definition, 125 primary, 11, 12 replica, 11, 12, 13 internal database, 11, 19, 21, 23 definition, 125 Internet Explorer, 19 J JavaScript, 19 enabling, 66 K kernel parameter requirements, 18 Key Management encryption key definition, 126 keystore definition, 126 legacy compatibility, 73 SSL requirements, 69 L LAC. See Local Authentication Client large deployment, 37 LDAP Active Directory, 78 Active Directory forest, 78 base DN, 16 failover, 78 identity source, 16, 75 integrating with replica database server, 78 integration, 16, 35, 37, 75 orphaned users, 90 secure connections, 19 SSL setup, 83 supported configurations, 16 supported directories, 19 troubleshooting, 102 trusted root certificate, 73 license Advanced, 119 Base, 121 files, 20 general description, 20 server node requirement, 14 Index 137

license ID determining, 10 link identity source to realm, 89 Linux display environment variable, 24 kernel semaphore parameters, 24 requirements, 18 script for system update, 25 security parameters, 24 Local Authentication Client definition, 127 lockout policy definition, 127 log archival definition, 127 logging on to the RSA Security Console, 66 logging service definition, 127 installation logs, 101 system logs, 102 lower-level security domain definition, 127 M Manage Nodes utility, 53, 117 Manage Secrets utility, 105 Manage SSL Certificate utility, 70, 109 master password, 21, 22 medium deployment, 35 member user definition, 127 member user group definition, 128 memory requirements, 17 Microsoft Management Console definition, 128 MMC installing, 92 post-installation configuration, 94 purpose, 91 MMC Extension, 103 MMC. See Microsoft Management Console multicast network communication fails, 103 Multicast Network Test utility, 103, 114 N namespace definition, 128 network configuration proxy service, 15 server node, 14 Network Management System, 128 node fails to communicate, 103 installation, 14 manager, 64 package file, 53 test communication, 114 node manager troubleshooting, 104 node secret definition, 128 NTP service, 20 O object definition, 128 offline synchronization, 45, 116 online synchronization, 45, 116 operating system, 17 Oracle, 21, 23 orphaned LDAP users, 90 P page file, 17 PAM Agent, 20 PAM. See Pluggable Authentication Module passcode definition, 128 password Active Directory policy, 84 changing after install, 66 encrypted properties file, 105 internal system, 68 master, 21, 22, 68 Super Admin, 21, 22, 68 password policy definition, 129 planning, 21, 22 permissions definition, 129 policy data, 19 ports reserved for Authentication Manager, 22, 23 post-installation tasks changing passwords, 67 Linux configuration, 61 SSL, 69 starting services, 63 pre-installation checklist, 21 primary connection pool definition, 129 138 Index

primary database server, 12 removing, 99 primary instance, 12 backing up standalone, 61 data file for replica instance, 116 definition, 129 securing data over the network, 63 synchronize with replica instance, 116 private key definition, 129 processor, 17 properties file, 105 protecting resources, 20 provisioning data definition, 129 proxy servers, 74 proxy service, 15 public key definition, 129 R RADIUS. See Remote Authentication Dial- In User Service realm definition, 130 identity source, 89 Red Hat Package Manager versions required, 18 reinstallation cleanup script, 101 Remote Authentication Dial-In User Service definition, 130 Remote Token Key Generation Service, 74 remove Authentication Manager, 96 replica instance, 12 connecting to LDAP, 78 connection to primary instance, 13 definition, 130 installing, 45 rebalancing contact lists, 52 removing, 97 synchronize with primary instance, 116 synchronizing clocks, 45 replica package file, 45 requirements, system, 17 resource adapters, 78 deploying, 85 Resource Adapter Archive file, 84 undeploying, 87 RPM. See Red Hat Package Manager RSA ACE/Server, 21, 23 RSA Authentication Manager. See Authentication Manager RSA Authentication Manager. see Authentication Manager RSA Security Console adding to trusted sites, 67 definition, 130 description, 11 enabling the identity source, 88 fails to start, 102 identity source, 11 installation, 11 logging on, 66 MMC Extension configuration, 94 on server, 15 read-only operations, 13 starting service, 64 supported browsers, 19 runtime definition, 131 runtime identity source, 78 definition, 131 S scope definition, 131 scripts system update on Linux, 25 Secure Sockets Layer definition, 131 Security Console, 11 adding to trusted sites, 67 definition, 130 description, 11 enabling the identity source, 88 fails to start, 102 identity source, 11 installation, 11 logging on, 66 MMC Extension configuration, 94 on server nodes, 15 read-only operations, 13 starting service, 64 supported browsers, 19 security domain definition, 131 server certificate and key, 40, 48, 55 Index 139

server node connection to primary instance, 15 definition, 131 fails to communicate, 103 function, 14 installation type, 11 installing, 53 test communication, 114 services, fail to start, 102 session definition, 131 setting local time, 20 silent installation, 42, 50, 57 Simple Network Management Protocol Agent, 132 definition, 132 trap, 132 single sign-on definition, 132 snap-in definition, 132 SNMP. See Simple Network Management Protocol SSL LDAP, 83 post-installation tasks, 69 SSL certificate manage, 109 SSL LDAP, 19 SSL. See Secure Sockets Layer SSO. See single sign on starting RSA Authentication Manager services, 63 subnet, 14 Sun Java System Directory Server, 19 Super Admin changing password, 66 definition, 132 planning password, 21, 22 supported browsers RSA Security Console, 19 swap space requirements, 18 system architecture, 11 components, 11 fingerprint, 105 logs, 102 required packages, 18 requirements, 17, 25 update script, 25 system log, 102 system requirements Linux, 18 Microsoft Windows, 17 systemfields.properties, 21, 22, 105 T TACACS. See Terminal Access Controller Access Control System TCP ports, 22, 23 temporary directory for installation logs, 21, 23 time settings, 20 time synchronization, 20 tokencode definition, 133 tokens definition, 133 top-level security domain definition, 133 trace log, 102 definition, 133 troubleshooting, 101 Collect Product Information utility, 108 MMC Extension does not start, 103 multicast network communication fails, 103 RSA Security Console fails to start, 102 server fails to start, 102 starting node manager, 104 unsuccessful installation or removal, 101 unsuccessful LDAP integration, 102 two-factor authentication definition, 133 U UDP ports, 22, 23 uninstall, 96 primary database server, 99 replica database server, 97 server node, 95 unlink identity source from realm, 90 URL to access the RSA Security Console, 43, 52 user definition, 133 user and group data, 19 user group definition, 133 User ID definition, 133 140 Index

users and groups accessing from LDAP directory, 16, 75 utility Collect Product Information, 108 Generate Replica Package, 116 Initialize Identity Source, 84 Manage Nodes, 53, 117 Manage Secrets, 105 Manage SSL Certificate, 109 Multicast Network Test, 114 V version number, determining, 10 W Windows registry settings, 22 Windows requirements, 17 Index 141