This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
MohammadEnnab
Occasional Contributor
Occasional Contributor
‎2021-04-07 03:09 AM

RSA SecurID Authentication Manager Integration with Vmware VCenter

Dears;

I would like to share the procedure to do integration with Vmware VCenter using RSA AM, there is no official guide published in RSA ready technologies to do integration.

the virtual Lab simulate the integration by using the below components:

  • RSA AM Vm version 8.5
  • RSA SW token
  • Vsphere ESX version 6.7 latest update
  • VCenter version 6.7 latest update including embedded platform service controller (PSC)

Note: External Platform Service Controller in version 7.0 will not be supported by Vmware, if you have External Platform Service Controller you can follow the same procedure.

  • Microsoft AD as main identity source for RSA AM and VCenter

Configuration procedure:

  • Configure RSA Authentication Manager.
  • Integrate Microsoft AD as main identity source in AM.

Note: Remember that AD maps to user attribute (sAMAccountName), this attribute required to configure RSA in VCenter side.

  • Assign required token for AD user
  • Setup Vsphere ESX
  • Setup VCenter, remember what is your SSO setup default domain (usually its configured with vsphere.local)
  • Integrate Microsoft AD as identity source for SSO, ensure that identity source selected as (Active Directory over LDAP). Don’t use ( Active Directory Integrated Windows Authentication), this will need to use userPrincipalName attribute to map users in AD side.
  • Create agent record in RSA for VCenter PSC ( Embedded PSC using the same name of VCenter Hostname), keep agent type as standard (agent name created in our lab is vc.rsas.com)
  • Download RSA Configuration File (sdconf.rec), you need to upload this file in VCenter PSC
  • Transfer sdconf.rec to VCenter using WinSCP tool, keep file under directory (/root/sdconf.rec)
  • Access VCenter PSC through SSH using any tool such as Putty
  • Issue the below commands to setup RSA in VCenter PSC

1.Change directory to ( cd /opt/vmware/bin )

2.Enable the SecurID Authentication Policy

./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true

3.Configure the agent software in SSO with the sdconf.rec file

./sso-config.sh -set_rsa_site -t vsphere.local -agentName vc.rsas.com -sdConfFile /root/sdconf.rec

4.Define AD user attribute as sAMAccountName

./sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName rsas.com -ldapAttr sAMAccountName

5.Confirm all the settings by dumping the RSA Configuration of SSO

./sso-config.sh -t vsphere.local -get_rsa_config

 

Optional: To disable logons via username and passwords, smartcard and windows integrated session  enter the following command. Only logon through RSA SecurID is possible.

sso-config.sh -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local

 

Now, it is time to login to VSphere Web Client via Multi-Factor Authentication, we can see that logon page shows additional checkbox called ‘Use RSA SecurID’, and password field changes to ‘Passcode’

 

 

Labels (2)
Reply
7 Replies
LukaKodric
Trusted Contributor
Trusted Contributor
‎2021-04-07 08:15 PM

Awesome... I wonder how we would integrate it directly to RSA SecurID Access SSO portal 😄 if thats even possible.

0 Likes
Reply
MohammadEnnab
Occasional Contributor
Occasional Contributor
‎2021-04-08 01:10 AM

Hi Luka;

VMware VCenter dont support integration with RSA SSO portal, there is limitation from VMware side. if you are looking to use new modern authetnication such as push notification to access VMware VCenter, you can do a hybrid integration between RSA AM and IDR.

 

 

Reply
LukaKodric
Trusted Contributor
Trusted Contributor
‎2021-04-08 06:03 PM

yeah another reason why I still run AM 😄 for legacy stuff like this.

0 Likes
Reply
captjck
New Contributor
New Contributor
‎2021-06-10 08:20 PM

Is there any way to force AD account to use the RSA token but allow vsphere.local accounts to just use their password?  I like having the ability to log in "locally" in an emergency.

Reply
OCCRob
New Contributor
New Contributor
‎2021-08-13 10:24 AM

Do you know of a way to enforce RSA and LDAP password?  It's not MFA when I just shift from using one type of authentication to another.

Also, Is there any way to change the RSA logon message?  We don't use the Windows soft token and I can see it being confusing for users with the phone app.

0 Likes
Reply
philrolfe
New Contributor
New Contributor
In response to OCCRob
‎2021-08-30 10:27 AM

As I see it, assuming you're using a PIN and a tokencode, shifting from LDAP to RSA is MFA.  The PIN is something you know, analogous to the password in AD, and the tokencode is something you have.  Thus, two factors, or multifactor.  

 

0 Likes
Reply
ChrisRod
New Contributor
New Contributor
‎2021-09-03 12:21 PM

Hello Mohammad,

Do you know if it is possible to run this commnad
sso-config.sh -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local

but still be able to use password authentication just on service accounts like local system accounts?

I just want to disable password for users on a domain, but not the local system

Reply
© 2022 RSA Security LLC or its affiliates. All rights reserved.