RSA ID Plus

RSA Authentication Manager

RSA Identity Router

The following IP addresses and subnets are used by default internally within RSA Authentication Manager (AM) server, for networking between AM and its embedded RSA Identity Router (IDR). 

When embedded IDRs are used, the above subnets must be reserved in the organization's network for AM's use only.  The same subnets can be used on every AM server, however if either of those subnets are in use elsewhere in the organization's network where AM is deployed, then the embedded IDRs will be inaccessible from the network. To fix that issue, the default subnet(s) in AM must be changed to unused subnet(s).

The steps in this KB explain how to manually change the embedded IDR management subnet and/or the embedded IDR docker subnet to any unused private subnets.  If you are changing the subnets, do the same steps on every AM server in your deployment that will be running an embedded IDR.  Note: the same two subnets can be used on every AM server.

Prerequisite: Select Alternate Subnet(s)

Check with your organization's network team to select unused subnets that can be used instead of 172.17.0.0/16 and/or 172.19.0.0/16 .   The two subnets must meet the following requirements:

• They must not overlap with each other or any other subnet used in the organization's network.
• They can be very small subnets (as small as /28).  Only two IPs are needed for the bridge subnet and one IP for docker0 .

In the remaining sections of this KB, we will use the below alternate subnets as examples.

Part A: Changing the Embedded IDR Management Subnet (br- interface)

1. SSH to the AM server and login as rsaadmin.
2. Take backups of IDRSoftware.groovy and ifup-rules .  Tip:  if you have to do this again, use a different filename suffix next time (not orig) for the backup copy, so you don't overwrite the original files:

cp /opt/rsa/am/config/src/scripts/IDRSoftware.groovy /tmp/IDRSoftware.groovy.orig
cp /etc/sysconfig/network/scripts/ifup-rules /tmp/ifup-rules.orig

2. Remove the Embedded Identity Router from RSA Authentication Manager
3. Change the permissions for IDRSoftware.groovy:

chmod 777 /opt/rsa/am/config/src/scripts/IDRSoftware.groovy

4. Edit the IDRSoftware.groovy script, changing the subnet to 192.168.1.0/24 (or your selected Embedded IDR management IP and subnet):

vi /opt/rsa/am/config/src/scripts/IDRSoftware.groovy

1. Search and update the values for idrContainerIPAddress and idrNetworkSubnet as seen below.

5. sudo as root and update the IP rules:

vi /etc/sysconfig/network/scripts/ifup-rules

Search and update as shown below:

ip rule add from all to 192.168.1.0/24 lookup main priority 0

6. Reboot.
7. If you are not also changing the Embedded IDR Docker Subnet (Part B below), re-Install the IDR.
8. Run ifconfig to check the "br-" interface is listed with the new embedded IDR management subnet with the correct IP and netmask.
9. Check the routing table.  The below example shows the "br-" interface with the new IP, gateway and netmask but the original setting still used for the docker0 interface:

   netstat -rn
   Kernel IP routing table
   Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
   0.0.0.0         10.101.56.1     0.0.0.0         UG        0 0          0 eth0
   10.101.56.0     0.0.0.0         255.255.254.0   U         0 0          0 eth0
   192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br-53a16a36c0e5
   172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0

Part B: Changing the Embedded IDR Docker Subnet (docker0 interface)

To change the default subnet/IP (172.17.0.1/16) subnet to 192.168.2.1/24 on the docker0 interface, follow the steps below:

1.  Reboot the AM server, SSH to it, then sudo as root. 
2. Take a backup of /usr/lib/systemd/system/docker.service.  Tip:  if you have to do this again, use a different filename suffix next time (not orig) for the backup copy, so you don't overwrite the original backup file:

 cp /usr/lib/systemd/system/docker.service /tmp/docker.service.orig

3. Edit /usr/lib/systemd/system/docker.service . Add --bip "192.168.2.1/24" (or your selected the Embedded IDR docker IP/subnet) at the end of the command line:

ExecStart=/usr/bin/dockerd  ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS --bip "192.168.2.1/24"

4. Run the following commands to reload the systemd manager configuration and to start Docker:

systemctl daemon-reload
systemctl start docker

5. Re-Install the IDR.
6. Run ifconfig to check the docker0 interface is listed with the new Embedded IDR docker subnet with the correct IP and netmask
7. Check network routing.  The below example shows the new subnet values for the "br-" and docker0 interfaces.

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.101.56.1     0.0.0.0         UG        0 0          0 eth0
10.101.56.0     0.0.0.0         255.255.254.0   U         0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br-53a16a36c0e5
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 docker0

8. Test RSA Cloud Authentication Service and AM authentications.