RSA Authentication Manager

The CPM supports centralized management of RSA Authentication Manager accounts, which verifies authentication requests and centrally administers authentication policies for organizations’ end users.

Supported platforms

The CPM supports remote password management for RSA SecurID accounts on the following platforms:

RSA Authentication Manager 8.1, 8.2

Prerequisites

The RSA Authentication Manager certificate must be installed on the CPM machine.
This plugin requires .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.

Platform

In the PVWA Platform Management page, make sure that the following target account platform is displayed:

RSA Authentication Management

Connection methods

This plugin supports the following connection methods to connect to the remote machine:

SSH
HTTPS

Password management features

The CPM can change, verify, and reconcile RSA Authentication Manager passwords on remote machines. If a password is invalid, the CPM can generate a new password and replace the invalid password on the remote machine and its corresponding password in the Password Vault. The parameters that define these tasks are in the platform. A reconciliation account password can be specified either at platform level or at account level.

For details, see Automatic account management.

RSA SecurID users

This plugin manages the following RSA SecurID users:

Operating System user

This is a user in the RSA Authentication Manager operating system. It is managed by the Unix SSH platform and must be used as a logon account for an Operations Console user. This user can change its own password, even if it is not defined as an admin role in the RSA Authentication Manager. However, it must be able to do the following:

Permit login to the RSA authentication manager using SSH protocol.
To reconcile accounts, the reconciliation account must be listed in the Unix Server sudoers file.

Security Console user

This user is managed by the RSA Authentication Management platform and can be used to log onto the RSA Authentication Manager by its own user and by the Operations Console user.

This user requires a logon account to access the RSA Authentication Manager. The logon account must be a Command Client account on the RSA Authentication Manager, whose credentials are required to create the Security Console user account in the PVWA.

  1. Logon to the RSA Authentication Manager as the rsaadmin user.

  2. On your Authentication Manager host, at a command prompt, display the RSA_AM_HOME/utils directory.

  3. Enter the following command:

      
    rsautil manage-secrets --action list

  4. At the prompt, enter your Operations Console username and password.

    The system displays a list of your internal system passwords.

  5. Identify the user name and password for the Command Client. For example:

    • Command Client user name: CmdClient_vKr9aLK9

    • Command Client user password: e9SHbK0W4i

  6. Save these credentials to use when creating the logon account for the Security Console user.

  1. In the Add Account page, specify the following properties:

    • Device–Select Application.

    • Platform–Select RSA Authentication Manager.

    • Username– Specify the name of the user as it is defined in the RSA Authentication Manager.

    • Address– Specify the FQDN address of the RSA Authentication Manager.

    • RSA User Type– Select Security User.

    • Password– The Security Console user’s password.

  2. Click Save. The new account is added and the Account Details page is displayed.

  3. In the Security Console account details, in the CPM pane, associate the logon account (required):

    • Click Associate, then select an existing Command Client account that will log the Security Console user onto the RSA Authentication Manager,

    Or,

    • Click Create New to create a new logon account with the Command Client credentials that you saved before adding the Security Console user account.

      In addition to the account properties described above, specify the following properties to define this user as a Command Client user:

      • Platform– Select RSA Authentication Manager.

      • RSA User Type– Select Command Client User.

      • Select  Disable automatic management for this account.

  4. Associate the change and reconcile Accounts (optional):

    If this Security Console user has an admin role in the RSA Authentication Manager and is a ‘Change Account’, it can change and reconcile its own password and does not require associated accounts. However, if this Security Console user does not have an admin role in the RSA Authentication Manager, a ‘Change Account’ must be associated in order to manage the password. The associated account must be another Security Console user that has an admin role in the RSA Authentication Manager and is a ‘Change Account’

Operations Console user

This user is managed by the RSA Authentication Management platform.

  1. In the Add Account page, specify the following properties:

    • Device–SelectApplication.

    • Platform–SelectRSA Authentication Manager.

    • Username– Specify the name of the user as it is defined in the RSA Authentication Manager.

    • Address– Specify the FQDN address of the RSA Authentication Manager.

    • RSA User Type– SelectOperation User.

    • Password– The Operations Console user’s password.

  2. Clear Disable automatic management for this account.

  3. ClickSave;the new account is added and the Account Details page is displayed.

  4. In the CPM pane, associate the logon account (required):

    An Operating System user account is required to log the Operations Console user onto the RSA Authentication Manager. Make sure that the associated account is called rsaadmin in the RSA Authentication Manager and that its account in the PVWA is managed by the Unix SSH platform.

    • ClickAssociate, then select an existing Operating System user account that will log theOperations Consoleuser onto the RSA Authentication Manager,

    Or,

    • ClickCreate Newto create a new logon account for the Operating System user account on the RSA Authentication Manager.

      • In addition to the account properties described above, specify the following properties to define this user as a Command Client user:

      • Platform– SelectRSA Authentication Manager.

      • RSA User Type– SelectOperating System User.

  5. Associate the reconcile account (required):

    A Security Console user account is required to reconcile and change the Operations Console user account. Make sure that the associated Security Console user account has an admin role in the RSA Authentication Manager and is a ‘Change Account’.