Configure the RSA Authentication Manager 8.3
Add the Identity Source to the Platform Services Controller
1. Log in to the vSphere Web Client to vCenter Server as email@example.com
2. Click the Home button, Administration, Single Sign-On, then Configuration.
3. Click the Identity Sources tab.
4. Add the Identity Source with the type "Active Directory as an LDAP server."
Note: The Identity Source type "Active Directory (Integrated Windows Authentication)" will result in failed authentication when the RSA Identity Source does not map the User ID to userPrincipalName.
Add the Identity Source to the RSA Authentication Manager
1. Login with the RSA administrator account to the RSA Operations Console at https://RsaAuthenticationManager:7072/operations-console/
2. Click the Deployment Configuration tab, then Identity Sources, then Add New.
Note: You must login as a Super Admin User.
3. Under the Connection(s) Tab, fill out the required fields.
4. Under the Map Tab, fill out all required fields.
Note: If the attribute used to map the User ID is not userPrincipalName, follow KB 57595 to add the User Base DN to the vSphere Identity Source for the Identity Provider.
RSA SecurID login error "Invalid Credentials" when using the Identity Source type of Active Directory with Integrated Windows Authentication (57595)
5. Test the connection to the Identity Source.
6. Save and Finish.
Link the Identity Source to the System
1. Login with the RSA administrator account to the RSA Security Console at https://RsaAuthenticationManager:7004/console-ims/
2. Click the Setup Tab, then Identity Sources, then Link Identity Source to System.
3. Select the Identity Source from the "Available" column. Click the less-than button to move the Identity Source to the "Linked" column.
4. Save the configuration.
Assign user accounts a SecurID Token
1. From the RSA Security Console, Click Authentication, then SecurID Tokens, then Manage Existing.
2. Click the Unassigned tab, within the Serial Number column click the down arrow next to the desired Serial Number, and Click Assign to User.
3. From the Search Criteria column select SystemDomain from the Security Domain drop-down. Select the LDAP Identity Source from the Identity Source drop-down. Select Last Name and contains to filter Where.
Note: The search result should contain the User ID using the mapped attribute.
4. Click the radio button next to the User ID and Click Assign.
5. Click the Assigned tab to confirm the Serial Number is assigned to the correct User ID.
6. Click the arrow next to the Serial Number, and Click Edit.
7. Make required adjustments to the Token Status and SecurID PIN Management
Download the RSA Authentication Manager server certificate called Server.cer
1. Within the RSA Security Console, Click Access, then Authentication Agents, Download Server Certificate File. Click the "Download Now" link.
Add the RSA Authentication Manager server certificate called Server.cer to the Platform Services Controller Trusted Root Store
1. Open a browser and navigate to the Platform Service Controller Web Interface. Login with firstname.lastname@example.org.
For example: https://PlatformServiceController
2. Under Certificates, Click Certificate Management, authenticate as email@example.com
3. Click the Trusted Root Certificate tab, and Click "Add certificate".
4. Browse to the path of the RSA Authentication Manager certificate called Server.cer. Close the browser session.
Import the certificate of the LDAP Identity Source to the RSA Authentication Operations Console
Prerequisite: The LDAP Identity Source SSL Certificate is available for import into the RSA Authentication Manager.
1. Within the RSA Operations Console, Click Deployment Configuration, then Identity Sources, then Identity Source Certificates, then Add New.
2. Fill out the Certificate Name, and next to Certificate File Click Choose File. Locate the LDAP Identity Source SSL Certificate and select Open. Select Save.
3. Once the certificate has been imported, the Issued To and Issued By column will populate with the certificates Common Name path.
Add an Authentication Agent
1. From the RSA Operations Console, select the Deployment Configuration tab, Identity Sources, Add New.
2. Configure the Identity Source Basics and the Directory Connection.
(Optional) Add the Hostname and IP Address of the Authentication Manager to the Agent Authentication Setting
1. Within the RSA Security Console, click the Setup tab, System Settings, System Settings tab, Agents, then click the link "To configure agents using IPV6, click here"
2. Add the Hostname and IP address for the Server Connection Pool configuration within the Authentication Servers menu.
3. Click Update.
Generate the Authentication Agent Configuration File
1. Within the RSA Security Console, click the Access tab, Authentication Agents, Generate Configuration File.
2. Click Generate Config File.
3. Click the "Download Now" link.
4. Within the downloaded package called "AM_Config" extract the file "sdconf.rec"
Import the sdrec.conf file into the Platform Services Controller
1. Open a connection to the Platform Services Controller using WinSCP or a similar program.
2. Copy the file "sdrec.conf" to the Platform Services Controller.
3. Note the location you save the sdrec.conf file on the Platform Services Controller.
Configure the 6.5 External Platform Services Controller for RSA SecurID
1. SSH to the Platform Services Controller and log in as root.
2. Change to the directory that contains the sso-config.sh script:
Windows: C:\Program Files\VMware\VCenter server\VMware Identity Services
3. Enable SecurID authentication
# sso-config.[sh|bat] -t tenantName -set_authn_policy –securIDAuthn true
# sso-config.sh -t lvsphere.local -set_authn_policy -securIDAuthn true
Note: After you enable RSA SecurID, the checkbox "Use RSA SecurID" will appear in the vSphere Web Client
4. Configure the Tenant to use the RSA Site
# sso-config.[sh|bat] -set_rsa_site [-t tenantName] [-siteID Location] [-agentName Name] [-sdConfFile Path]
# sso-config.sh -set_rsa_site -t vsphere.local -agentName fed-linpsc.fedlab.local -sdConfFile /tmp/sdconf.rec
5. Set the userID mapping using the attribute configured in the RSA Authentication Manager for the Identity Source
# sso-config.[sh|bat] -set_rsa_userid_attr_map [-t tenantName] [-idsName Name] [-ldapAttr AttrName] [-siteID Location]
#sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName fedlab.local -ldapAttr userPrincipalName
6. Review the RSA configuration.
# sso-config.sh -t tenantName -get_rsa_config
# sso-config.sh -t vsphere.local -get_rsa_config
SET UP RSA SECURID AUTHENTICATION
TWO FACTOR AUTHENTICATION FOR VSPHERE – RSA SECURID
RSA SETUP GUIDE