Configuring Reflection for Secure IT for RSA SecurID Authentication

This technical note provides an overview of how to configure RSA SecurID authentication in Reflection for Secure IT using the keyboard interactive authentication method. The UNIX products require Pluggable Authentication Modules (PAM).

Note: As a prerequisite to following the steps in this technical note, you must have a correctly configured RSA SecurID environment. We recommend that you review the RSA Authentication Manager documentation before using SecurID.

In Windows

The Reflection for Secure IT Windows Client and Server supports RSA SecurID authentication via the keyboard interactive setting.

Configure the Server for Windows version 8.0 or higher

Follow these steps to configure version 8.0 or higher of the Reflection for Secure IT Server for Windows. (These steps also apply to the Web Edition version of the server.)

1. Install the RSA Authentication Agent on the computer running the Reflection for Secure IT server.
2. Open the Reflection for Secure IT Server Configuration tool.
3. On the Configuration tab, expand Authentication and select RSA SecurID.
4. Under Agent path, browse to the RSA Authentication Agent folder that contains the file aceclnt.dll.
5. Under RSA SecurID authentication, select Allow.

• You will not be unable to select Allow or Require if the RSA Authentication Agent has not yet been installed on the server computer, or if Agent path points to the wrong location
• The server uses the keyboard-interactive authentication method to support RSA SecurID authentication. This is true even if keyboard-interactive authentication is disabled on the Password pane.

6. Optional: Set the Retries values.
7. Click File > Save Settings.

If you are using:

Copy the sdconf.rec sdstatus.12, and securid files from the C:\Program Files\Common Files\RSA Shared\Auth Data to the C:\Windows\System32 directory.

Configure the Windows Server 7.1 – 7.x

Follow these steps to configure the Reflection for Secure IT Windows Server.

1. Install the RSA Authentication Agent on the computer running the Reflection for Secure IT server.
2. Open the Reflection for Secure IT Server Configuration tool.
3. On the Configuration tab, expand Authentication and select RSA SecurID.
4. Under RSA SecurID authentication, select Allow.

• You will be unable to select Allow or Require if the RSA Authentication Agent has not yet been installed on the server computer.
• The server uses the keyboard-interactive authentication method to support RSA SecurID authentication. This is true even if keyboard-interactive authentication is disabled on the Password pane.

5. Optional: Set the Retries values.
6. Click File > Save Settings.

Note: On a Windows 2008 R2 server, the RSA client may not create an entry in the System Environment Variable PATH. You will need to add “C:\program files\common files\rsa shared\auth api” to Windows System PATH.

To get to Windows Environment Variable:

If you are using:

Copy the sdconf.rec sdstatus.12, and securid files from the C:\Program Files\Common Files\RSA Shared\Auth Data to the C:\Windows\System32 directory.

Configure the Windows Client

The Reflection for Secure IT Windows Client supports RSA SecurID Authentication using the keyboard interactive setting. This setting is enabled by default.

To confirm that the Keyboard Interactive setting is selected:

1. Open Connection > Connection Setup.
2. Under Connection options, select or enter a Host name.
3. Click the Security button. (This becomes enabled after you enter a host name.)
4. On the General tab under User Authentication, confirm that the Keyboard Interactive check box is selected. Click OK.

In UNIX

To support RSA SecurID authentication in the UNIX environment, Reflection for Secure IT uses the keyboard interactive authentication method with the RSA Authentication Agent for PAM, which allows RSA SecurID tokens to be used when connecting to the server.

Note the following:

• The RSA Authentication Agent for PAM must be running on the same host as the Secure Shell server.
• We recommend that you familiarize yourself with the RSA Authentication Manager documentation before using SecurID.
• For more information about PAM and RSA SecurID Authentication, see the User Guide available from https://support.microfocus.com/manuals/rsit_unix.html.

Configure the UNIX Client

To configure the Reflection for Secure IT UNIX Client, edit the client configuration file.

1. Open /etc/ssh2/ssh2_config in a text editor.
2. Set the AllowedAuthentications keyword to keyboard-interactive:

3. Save the file.

Configure the SSH UNIX Server

To configure the Reflection UNIX Server, edit the server configuration file.

1. Open /etc/ssh2/sshd2_config in a text editor.
2. Set the AllowedAuthentications and AuthKbdInt.Required keywords using the following values:

Start the UNIX Server

Before starting the SSH server, you must set the VAR_ACE and LD_LIBRARY_PATH environmental variables.

• Set VAR_ACE to the directory where the sdconf.rec file is located.
• Set LD_LIBRARY_PATH to the directory where the RSA/Server or RSA/Agent is installed.

For example, if the agent is located in /opt/ace, you would start the service as follows:

Note: To have the VAR_ACE and LD_LIBRARY_PATH variables configured on server startup, add them to the host's init script.

Troubleshooting

If you have trouble making a connection, try testing without Reflection for Secure IT. The RSA SecurID agent has a test authentication utility you can use to verify the credentials of a user. If the utility fails, then either SecurID is not set up correctly or the credentials are incorrect.

Legacy KB ID