VMware vSphere/vCenter 8.0.2 - Authentication Agent Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate RSA with VMware vSphere/vCenter as an Authentication Agent.  

Configure VMware vCenter TCP Agent with RSA

Perform these steps to configure VMware vCenter TCP Agent with RSA.
Procedure

  1. To configure your RSA Authentication Manager for use with an authentication agent, create an agent host record in the Security Console of your Authentication Manager and download its configuration file (sdconf.rec).
  2. Click the Primary RSA Authentication Manager Security Console > Access > Authentication Agents > Add New.
  3. Enter a Hostname and click Save.
    The hostname does not need to be resolved by DNS and no IP address is needed.
  4. Click Yes, Save Agent.
  5. Click RSA Authentication Manager Security Console > Access > Authentication Agents > Generate Configuration File.
  6. Click the Download Now link and click Done.
  7. Unzip the AM_Config.zip file to obtain the sdconf.rec file.
  8. To transfer files to the VCenter server via SFTP, we need to change the root shell on the VCenter via SSH, so enable the SSH and Shell access on the VCenter and input the below command: -
    chsh -s /bin/bash root

    Note:     To change it back later to the default shell, run this command - chsh -s /bin/appliancesh root.
  9. Access the VCenter server via SFTP client such as WinSCP/FileZilla to transfer the downloaded sdconf.rec file from RSA Authentication Manager to the VCenter server.

For the users that will access the VSphere, they must exist on both the RSA Authentication Manager and the VCenter server either locally or via Active Directory.

  

For Local Users on VCenter

    1. For the users that will access the VSphere, log on to VSphere using userPrincipalName or NTLM format.
      Note: Since the user is local on VCenter, it sends the login username to RSA Authentication Manager with the SSO domain. If you use the userPrinicpalName format, a local user on RSA Authentication Manager must exist the same as the login username. 
      Refer to the following figures of the RSA Authentication Manager Security Console > Identity > Users > Manage Existing, VSphere Client > Administration > Users and Groups, and VSphere Login pages.


    2. If the user logs on using the NTLM format (vsphere.local\username), click Security Console > Setup > System Setting > Agents and do the mapping as shown in the following figure.
    3. Click Add and click Save
      This makes RSA Authentication Manager transform the NTLM format to the userPrincipalName format. 
  2. Access VCenter via SSH and run the following commands: 
    1. cd /opt/vmware/bin 
    2. Enable the SecurID Authentication Policy: ./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true
    3. Configure the agent in SSO with the sdconf.rec file (assuming the SSO domain configured in VCenter is vsphere.local and the agent created in step 1 is vcenter8): ./sso-config.sh -set_rsa_site -t vsphere.local -agentName vcenter8 -sdConfFile /root/sdconf.rec 
    4. (Optional) If you perform manual load balancing using sdopts.rec file, upload the file via SFTP (step 8), and run the command: ./sso-config.sh -set_rsa_site -t vsphere.local -agentName vcenter8 -sdConfFile /root/sdconf.rec -sdOptsFile /root/sdopts.rec
    5. (Optional) To disable other authentication methods, run the command: ./sso-config.sh -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local
    6. (Optional) To change the tenant configuration to non-default values, run the command: 
      ./sso-config.sh -set_rsa_config -t vsphere.local [-logLevel Level] [-logFileSize Size] [-maxLogFileCount Count] [-connTimeOut Seconds] [-readTimeOut Seconds]. For example, ./sso-config.sh -set_rsa_config -t vsphere.local -logLevel DEBUG -connTimeOut 10 -readTimeOut 10
    7. Review and confirm all the settings for RSA Authentication Manager: ./sso-config.sh -t vsphere.local -get_rsa_config

        

For Active Directory Users on VCenter

  1. Log on to the VSphere using an identity source username. You can log on using the userPrincipalName or NTLM format. The username must match with the identity source username configured on RSA Authentication Manager. For example, a user 'user1' can log on to the VSphere either by entering domain\user1 or user1@domain.com. You can control what to send (sAMAccountName or userPrinicpalName) to RSA Authentication Manager and it applies to both NTLM and userPrinicpalName login.
    Note: Unlike local accounts, you do not need to make RSA Authentication Manager to transform NTLM to userPrinicpalName.
  2. Access VCenter via SSH and run the following commands:
    1. cd /opt/vmware/bin
    2.  Enable the SecurID Authentication Policy: ./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true
    3. Configure the agent in SSO with the sdconf.rec file (assuming the SSO domain configured in VCenter is vsphere.local and the agent created in step 1 is vcenter8): ./sso-config.sh -set_rsa_site -t vsphere.local -agentName vcenter8 -sdConfFile /root/sdconf.rec 
    4. (Optional) If you perform manual load balancing using sdopts.rec file, upload the file via SFTP (step 8), and run the command: ./sso-config.sh -set_rsa_site -t vsphere.local -agentName vcenter8 -sdConfFile /root/sdconf.rec -sdOptsFile /root/sdopts.rec
    5. (Optional) If your identity source is not using the User Principal Name as the user ID, set up the identity source userID attribute. (Supported with Active Directory over LDAP identity sources only.): 
      ./sso-config.sh -set_rsa_userid_attr_map -t vsphere.local [-idsName Name] [-ldapAttr AttrName]. For example, ./sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName dawoud.com -ldapAttr sAMAccountName 
    6. (Optional) To disable other authentication methods, run the command: ./sso-config.sh -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local
    7. (Optional) To change the tenant configuration to non-default values, run the command: ./sso-config.sh -set_rsa_config -t vsphere.local [-logLevel Level] [-logFileSize Size] [-maxLogFileCount Count] [-connTimeOut Seconds] [-readTimeOut Seconds]. For Example, ./sso-config.sh -set_rsa_config -t vsphere.local -logLevel DEBUG -connTimeOut 10 -readTimeOut 10
    8. Review and confirm all the settings for RSA Authentication Manager: ./sso-config.sh -t vsphere.local -get_rsa_config

  

Sdopts.rec File

Use the Sdopts.rec file to specify how you want to perform the manual load balancing between the RSA Authentication Manager Servers. Be careful not to have any spaces at the start or at the end of the file.  Refer to the following keywords and examples. Additionally, refer to the end of this section for the troubleshooting guidance for sdopts.rec.

USESERVER=ip_address, priority

PriorityDescription
2 - 10Send authentication requests to the  RSA Authentication Manager Server using a randomized selection based on the assigned priority of the Authentication Manager server. The range is from 2 to 10. The higher the value, the more requests the Authentication Manager server receives. A Priority 10 Authentication Manager server receives about 24 times as many requests as a Priority 2 Authentication Manage server.
1Use this RSA Authentication Manager only if no Authentication Manager servers of higher priority are available.
0

Ignore this RSA Authentication Manager server. A Priority 0 Authentication Manager server can only be used in special circumstances:

  • It must be one of the four Authentication Manager servers listed in the sdconf.rec file.
  • The Priority 0 Authentication Manager server can only be used for the initial authentication of the Authentication Agent unless all Authentication Manager servers with priorities of 1–10 listed in the sdopts.rec file are known as unusable to Authentication Agent.  

You must assign a priority to each RSA Authentication Manager that you add to the sdopts.rec file. Otherwise, the entry is invalid. The IP addresses in the file are verified against the list of valid RSA Authentication Manager servers that the Authentication Agent receives as part of its initial authentication.

Example:

USESERVER=192.168.10.23, 10 
USESERVER=192.168.10.22, 2 
USESERVER=192.168.10.20, 1 
USESERVER=192.168.10.21, 0

AVOID=ip_address

When you provide an actual IP address of an RSA Authentication Manager server as a value, this keyword lets the Authentication Agent exclude this Authentication Manager server from use during dynamic load balancing. Important: Use the AVOID keyword only for dynamic load balancing. Do not use it with the USESERVER keyword for manual load balancing.

Important: Use the AVOID keyword only for dynamic load balancing. Do not use it with the USESERVER keyword for manual load balancing. If the AVOID keyword is included in a sdopts.rec file that includes a USESERVER statement, the AVOID statement is considered an error. If you use the AVOID statement with the IP address of the default RSA Authentication Manager server, the statement is ignored unless another Authentication Manager server is available. The default Authentication Manager server is the one where the sdconf.rec file was created. If an Authentication Manager server is designated as the master, however, it becomes the default Authentication Manager server regardless of where the sdconf.rec file was created. 

The following example shows how to use the AVOID keywords in the sdopts.rec file: 
AVOID=192.100.123.5 
In this example, the RSA Authentication Manager server with the IP address 192.100.123.5 will not be used for authentication.

  

Important File Locations

  • /var/log/vmware/sso: This directory containsfiles such as rsa_securid.log,  websso.log, ssoAdminServer.log, vmware-identity-sts.log, tokenservice.log, and vmware-identity-sts-perf.log.
  • /etc/vmware-sso/(local_SSO_Domain)/ like an example: -
    /etc/vmware-sso/vsphere.local/ , this directory has files like the sdconf.rec/sdopts.rec and rsa_api.properties where it has the agent configuration but there is no reason to edit it and adjust any configuration there as it will be overwritten by the shell script from VMware that exists in /opt/vmware/bin/sso-config.sh , so any properties to be changed must be done from the sso shell script sso-config.sh or it will not take any effect.

 

Troubleshooting

You can enable DEBUG from the shell script to know more about the flow. To enable it, under /opt/vmware/bin, run the command: ./sso-config.sh -set_rsa_config -t vsphere.local -logLevel DEBUG and then watch the file (tail -f /var/log/vmware/sso/rsa_securid.log) during the authentication to understand more about the flow

The Sdopts.rec file must not have any spaces.

Restart stsd to resolve the issue with VMware such as a hung service using service-control --stop vmware-stsd and service-control --start vmware-stsd.

Stopping or restarting all VCenter services needs downtime same as rebooting the appliance and needs extensive troubleshooting from VMware side to conclude this step.

 

The configuration is complete.

Return to VMware vSphere/vCenter 8.0.2 - RSA Ready Implementation Guide.

 

Related Articles

Trending Articles

Don't see what you're looking for?