This section describes how to integrate RSA SecurID Access with Vmware vSphere/vCentre as an authentication agent.
Architecture Diagram
Configure RSA Authentication Manager
To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security Console of your Authentication Manager and download its configuration file (sdconf.rec).
Agent host record configuration differs slightly depending on whether you are using a UDP-based agent (using 8.1.x or earlier RSA Agent API) or TCP-based agent (using 8.5 or newer RSA Agent API).
- Hostname: Configure the agent host record name to match the hostname of the agent.
- IP Address: Configure the agent host record to match the IP address of the agent.
Note: Authentication Manager must be able to resolve the IP address from the hostname
Configure Vmware vSphere/vCentre
Perform these steps to configure Vmware vSphere/vCentreas an authentication agent to RSA Authentication Manager.
Procedure
-
Upload the sdconf.rec file to VmwarevSphere/vCentre6.7 platform services controller.
-
Run shell.set –enable True to enable the Bash shell.
-
Run shell to access the Bash shell.
-
Run chsh -s /bin/bash root to change the default shell to Bash.
-
Using scp upload the sdconf.rec to /root.
-
Run chsh -s /bin/appliancesh root to restore the Appliance Shell.
-
Enable SecurID via the PSC CLI
-
Change directory to /opt/vmware/bin.
-
To enable the SecurID Authentication Policy run the following command.
./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true -
To configure the SSO agent software with sdconf.rec run the following command where the agentName is your LDAP or AD.
./sso-config.sh -set_rsa_site -t vsphere.local -agentName vm2174.pe.rsa.com -sdConfFile /root/sdconf.rec -
To review the configuration run the following command.
./sso-config.sh -t vsphere.local -get_rsa_config -
The configuration is now complete and ready to test.
-
SecurID Agent Integration Details
| RSA Authentication Agent API (UDP) | 8.5 |
| RSA SecurID Authentication API (TCP) | NA |
| RSA SecurID User Specification | Designated Users, All Users, Default Method |
| Display RSA Server Info | No |
| Perform Test Authentication | No |
| Agent Tracing | Yes |
| Agent Files | Location |
|---|---|
| sdconf.rec | etc/vmware-sso/vsphere.local |
| sdopts.rec | etc/vmware-sso/vsphere.local |
| Node secret | etc/vmware-sso/vsphere.local |
| rsa_api.properties | etc/vmware-sso/vsphere.local |
This section is provided to show an administrator how to load, remove, or update the sdopts.rec, sdstatus.12 and Node Secret file if it was not previously documented under the Partner Authentication Agent Configuration section. It is also provided to list any technologies or terms specific to the Partner product that may not be viewed as common knowledge. If a testing utility has been added to the product so that you can test RSA SecurID authentications from the product then add a note on how to get to and use the utility.
Node Secret: (C and Java Agents only)
sdconf.rec: (C and Java Agents only)
sdopts.rec: (C and Java Agents only)
sdstatus.12: (C and Java Agents only)
Return to the main page for more certification related information.
