Symantec Privileged Access Management

Hello,

While the Broadcom documentation lists the necessary steps to integrate the use of RSA SecurID, I wanted to provide a use case example and hopefully save someone else from the anxiety we went through to get it working.  We were able to use the same soft tokens as we used for securing other stuff.

First of all, this is by no means meant to substitute the official documentation. This is more about documenting on how we used the documentation to make it work! (No warranties, so on...)
  
Broadcom Documentation for 3.3.2:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/configure-the-product-for-rsa-securid.html

Register CA PAM as an Authenticating Device on the RSA ACE server
It is crucial to get this right. The PAM documentation is not specific on exactly what needed to be done, which I get because this configuration can be subjective depending on the specific use case.

As of RSA Authentication server 8.2:
Security Domain: Same Security domain
Hostname: As the documentation suggests, this has to be exactly like the Hostname configured in CA PAM network settings. We used FQHN for both.
IP Address: This has to be the exact IP address of the appliance which will reach out to the RSA Authentication Server:
Note: We originally made the mistake of just putting the VIP hostname/IP. All appliances which may authenticate to the RSA Authentication Server need to have an entry.
Protect IP Address:  Yes
Agent Type: Standard Agent
Disabled: No
User Group Access Restriction: No
Trusted Realm Authentication: No
Trusted User Authentication: open to all trusted users

** Node Secret: Do not add a node secret !!! ***

Configure the RSA SecurID 800 Hybrid Authenticator
This was a confusing step. I Interpreted this as to ensure the soft token configuration was setup in a specific way.
Type: SecurID Software Token, 8 digits,  changes every 60 seconds (AES-TIME)
Displayed value: Passcode (PIN incorporated into tokencode)

Testing
Testing the integration piece was simple. I created a local test PAM id which matched my id in RSA. Set the Authentication to "RSA". At the PAM login, use my RSA ID, Authentication type "RSA", and the current Passcode from the RSA soft token. Once this has been verified as working, we were ready to move onto the next step.

Configure LDAP+RSA Authentication
Migrating from LDAP to LDAP+RSA Authentication was a little painful. In my shop, The entire employee organization unit was linked to AD. For instance, "employees" OU (with LDAP authentication) and then created local PAM groups for association with policies,

We moved to AD Groups imported (with LDAP+RSA Authentication) which served as the PAM groups for association with policies. This allowed PAM access control to be managed by our IDM tool ie move users in / out of AD groups.

The tricky part was we had to remove the single AD link ("LDAP" authentication) before linking the individual AD groups (LDAP+RSA Authentication)
Note: we tried having them exist in parallel which didn't work.

This procedure caused all the policy mappings to be erased. We had anticipated that effect and had a backup of the original policy mappings.  Note: I had the PAM USRSYNC patch handy as doing this procedure in development revealed some database inconsistency issues.

Naturally, we broke the cluster and did this all on one node and tested before restarting the cluster. This gave us an easy back out. 

Hope this helps!
Chris

Thank you for the information!  This is an excellent documentation supplement on your use case.  I have created a new Knowledge Article on this topic based on this post.  Both this community post and the KB will be Google indexed will be helpful to PAM clients performing the integration of PAM with RSA.

https://knowledge.broadcom.com/external/article?articleId=187483


------------------------------
Best regards,

Scott Owens
Sr Support Engineer

------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.

Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
------------------------------
------------------------------

Original Message:
Sent: 03-27-2020 10:59 AM
From: Chris Scott
Subject: Use Case Steps for PAM integration with RSA

Hello,

While the Broadcom documentation lists the necessary steps to integrate the use of RSA SecurID, I wanted to provide a use case example and hopefully save someone else from the anxiety we went through to get it working.  We were able to use the same soft tokens as we used for securing other stuff.

First of all, this is by no means meant to substitute the official documentation. This is more about documenting on how we used the documentation to make it work! (No warranties, so on...)

Broadcom Documentation for 3.3.2:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/configure-the-product-for-rsa-securid.html

Register CA PAM as an Authenticating Device on the RSA ACE server
It is crucial to get this right. The PAM documentation is not specific on exactly what needed to be done, which I get because this configuration can be subjective depending on the specific use case.

As of RSA Authentication server 8.2:
Security Domain: Same Security domain
Hostname: As the documentation suggests, this has to be exactly like the Hostname configured in CA PAM network settings. We used FQHN for both.
IP Address: This has to be the exact IP address of the appliance which will reach out to the RSA Authentication Server:
Note: We originally made the mistake of just putting the VIP hostname/IP. All appliances which may authenticate to the RSA Authentication Server need to have an entry.
Protect IP Address:  Yes
Agent Type: Standard Agent
Disabled: No
User Group Access Restriction: No
Trusted Realm Authentication: No
Trusted User Authentication: open to all trusted users

** Node Secret: Do not add a node secret !!! ***

Configure the RSA SecurID 800 Hybrid Authenticator
This was a confusing step. I Interpreted this as to ensure the soft token configuration was setup in a specific way.
Type: SecurID Software Token, 8 digits,  changes every 60 seconds (AES-TIME)
Displayed value: Passcode (PIN incorporated into tokencode)

Testing
Testing the integration piece was simple. I created a local test PAM id which matched my id in RSA. Set the Authentication to "RSA". At the PAM login, use my RSA ID, Authentication type "RSA", and the current Passcode from the RSA soft token. Once this has been verified as working, we were ready to move onto the next step.

Configure LDAP+RSA Authentication
Migrating from LDAP to LDAP+RSA Authentication was a little painful. In my shop, The entire employee organization unit was linked to AD. For instance, "employees" OU (with LDAP authentication) and then created local PAM groups for association with policies,

We moved to AD Groups imported (with LDAP+RSA Authentication) which served as the PAM groups for association with policies. This allowed PAM access control to be managed by our IDM tool ie move users in / out of AD groups.

The tricky part was we had to remove the single AD link ("LDAP" authentication) before linking the individual AD groups (LDAP+RSA Authentication)
Note: we tried having them exist in parallel which didn't work.

This procedure caused all the policy mappings to be erased. We had anticipated that effect and had a backup of the original policy mappings.  Note: I had the PAM USRSYNC patch handy as doing this procedure in development revealed some database inconsistency issues.

Naturally, we broke the cluster and did this all on one node and tested before restarting the cluster. This gave us an easy back out.

Hope this helps!
Chris