Symantec Access Management

Can someone explain exactly what I need to deploy on the SiteMinder Policy Server 12.52 sp1  running on Windows 2012 R2 Enterprise and on the Ace Server,  to enable SecureID Auth? 

The guides says find sdconf.rec on the policy server under /winnt/system32    - I did a search and the file is not found

Hi,

The documentation provide the steps to start with:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/securid-authentication-schemes

sdconf.rec is generated at RSA authentication manager. You need to copy the file after generate to the path that mentioned in documentation ie: /winnt/system32

Ref on generate sdconf.rec file

https://community.spiceworks.com/topic/1518762-where-to-get-the-sdconf-rec-file-for-rsa-authentication-manager

Regards,

Kar Meng

Thank you - this is big help. 

I went through the instruction on trying to generate the sdconf.rec on the ACE server - at one point in the instruction it says; "ensure all agents are connected first, before generating the config file. Does that mean, I need to install ACE agent on the Policy server??

Thanks,

Syed.. 

If it helps any....Here's what we had to essentially do to make work with our 12.52 SP1 environment. And we did have to use the RSA agent to make it work properly.

I can't speak to the RSA side itself, but when we had set it up, to them it was just like any other agent.

• Receive sdconf.rec from the RSA Admin
• Work with RSA Admin and install the RSA Agent on the Windows server hosting Policy Server
  • Be sure to select to not require RSA for server log in
• Configure RSA Agent by performing a test authentication (establishes securid secret) and add IP override
  • RSA Control Center -> Advanced Tools -> [authenticate as a user]
  • Optional: May need to use the "IP Address Override" option if you have multiple IPs on the server
• Add the environment variables:
  • USR_ACE = [path to securid file] (e.g., C:\Program Files\Common Files\RSA Shared\Auth Data\securid)
  • VAR_ACE = [path to sdconf.rec]   (e.g., C:\Program Files\Common Files\RSA Shared\Auth Data\sdconf.rec)
• Restart Windows 
• In SiteMinder, create RSA "SecurID HTML Form Template"
  • Point to HTML form to collect credentials (basically same as username+password but RSA stuff if you need)

That was pretty much it if I can recall correctly. Been a while now .

Great help guys - I am making progress. 

Any idea which AuthScheme form to use if I want to prompt user for both passcode and password in separate fields??

Thanks,

Syed..

We use a custom form (labeled for PIN+Tokencode), not sure if any of the OOB ones CA provides has that. But I don't imagine it'd be too difficult to have 2x entry boxes, then just combine them into one password parameter on the actual submission/POST rather than the two individual parameters.

Do I have to do anything special if this is what I want to do?

1. When user requests a protected resource, prompt user with a form login page. 

2. Validate user password against the user directory tied to the policy

3. Validate pin and passcode or just passcode by the ACE?

Thanks,

Syed..

I gather people have achieved that requirement (validate both directory password and SecureID passcode) by using this add-on:  http://www.ca.com/content/dam/ca/us/files/service-offering/xauthradius-integration-for-ca-single-sign-on-overview.pdf 

You sure you want password AND token authentication? Not sure that adds a whole lot extra. 

On item 3, the only thing RSA AM should be verifying is the passcode (PIN + tokencode) - that gets passed as the "password".

If you can accept the chance of person A password being used but then person B token...could just protect the RSA HTML form with a password based authentication scheme probably. So you'd first have to put in a password, then get the RSA form and "step up" to that. Just a thought.

Sorry coming back to this - got pulled into an entirely different project for 2 months. But have time to focus on this now. 

So back in the 6x days. I think, there was a SecureID authscheme that required users to put in the passcode+password to authenticate (password being the ldap or ad password). Is that not available any more??

Thanks,

Syed..