Managing the configuration files of an RSA Authentication Agent for Windows
RSA Product Set: SecurID RSA Product/Service Type: RSAAuthentication Agent for Windows RSA Version/Condition: 7.2 or later
A new Authentication Manager deployment has been built (perhaps due to a migration from an earlier version of Authentication Manager) and the administrator would like to change the configuration of the deployed RSA Authentication Agent for Windows in the production environment.
The RSA Authentication Agent for Windows stores its configuration files in the C:\Program Files\Common Files\RSA Shared\Auth Data folder by default. Updating an RSA Authentication Agent for Windows to send authentications to a new Authentication Manager deployment requires the removal of the failover.dat, sdstatus.12 and securid files and changing sdconf.rec file to point to the new server(s).
Since the authentication agent monitors the existence of the node secret on the agent and on the server, if the node secret file is deleted from the agent it also must be deleted from the server. In the Security Console under Access > Authentication Agents > Manage Existing, use the Search Criteria to search for the authentication agent in question. Once found,click on the agent and select Manage Node Secret… Check the option to clear the node secret and click Save.
NOTE: It is important the operating system hosting the RSA Authentication Agent for Windows is able to lookup the fully-qualified host names and IP addresses of the Authentication Manager instances in the Authentication Manager deployment either by DNS or local host file.
Changing the configuration files of an RSA Authentication Agent for Windows is a manual task. An administrator could start by making the changes to one RSA Authentication Agent for Windows to ensure the process works before changing further RSA Authentication Agent for Windows configurations.
For large deployments an administrator could review the RSA Authentication Agent 7.2 Installation and Administration Guide and read a section called “Deploying the Installation Package to Multiple Computers”. Using this section in the product documentation a new installation package could be created with a new configuration where something like Microsoft System Management Server (SMS) is used to remove the previous installation and replace it with the new installation package (containing the new configuration files). Where the Windows platform hosting the RSA Authentication Agent for Windows software is a member of a domain then GPO templates can be used to configure the authentication agent challenge settings. This would need testing to ensure you get desired results.
NOTE: There are two possible Windows restarts required with the steps above; one restart is after the removal of authentication agent software and another restart after the installation of the new installation package.
Alternatively, customers can engage RSA Professional Services to come up with a solution to change the configuration files on a large number of deployed RSA Authentication Agent for Windows.
Table showing configuration files used by an RSA Authentication Agent for Windows:
Configuration record providing the IP addresses of the Authentication Manager instances in the deployment.
Generated in the Security Console under Access > Authentication Agents > Generation Configuration File.
Click Generate Config File button.
Click the Download_Now link to obtain the AM_Config.zip that contains the sdconf.rec file.
Thefailover.datfile allows agent auto-registration to complete when the primary instance is unavailable or separated from the agent host by a firewall that uses Network Address Translation (NAT). The file includes a list of the primary and replica instances, and their alias IP addresses.
The server certificate used with the authentication agent auto-registration utility.
Downloadable from the Security Console under Access > Authentication Agents > Download Server Certificate File.
Click Download_Now link to obtain the server.cer
The node secret file is used to encrypt communication between the authentication agent and Authentication Manager. Created during the first successful authentication attempt between the agent and the Authentication Manager server.
This file is created by the agent and contains the list of available Authentication Manager instances and time related information.
If this file is deleted, the authentication agent will recreate this file on the next authentication.
Used for manual load balancing an authentication agent.
Appendix A: Configuring Automatic Load Balancing (page 81) of the RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide provides information on how to use the sdopts.rec file and describes a number of parameters that can be used in configuring it.