Previous Topic: Integration with RSA SecurIDNext Topic: Working with Multiple LDAP Server


How To Integrate CA ControlMinder Enterprise Management with RSA SecurID

If your organization uses RSA SecurID to authenticate users, you can use the capabilities of RSA SecurID to authenticate users login to CA ControlMinder Enterprise Management. When you integrate the Enterprise Management Server with RSA SecurID, CA ControlMinder Enterprise Management does not authenticate users on login. CA ControlMinder Enterprise Management detects that users authentication is done by a third-party program.

The following process explains how to integrate CA ControlMinder Enterprise Management with RSA SecurID:

  1. Prepare the Enterprise Management Server.
  2. Install a supported web server:
  3. Configure the Web server as a reverse proxy server.

    The web server acts as a reverse proxy server for all login authentication requests.

  4. Configure RSA SecurID to block all network access to CA ControlMinder Enterprise Management except from the web server.

    RSA SecurID prevents users from accessing CA ControlMinder Enterprise Management directly.

  5. Install the Enterprise Management Server components.
  6. Define a user account in CA ControlMinder Enterprise Management for each RSA SecurID user that will log in to CA ControlMinder Enterprise Management.

    Define only those users that you want to grant access to CA ControlMinder Enterprise Management.

    Important! If you are using Active Directory you do not need to complete this step.

  7. Install the RSA Authentication Agent on the following servers:

    RSA Authentication Agent intercepts user access requests and forwards the requests to RSA Authentication Manager.

  8. Configure the RSA web Agent to enable Single Sign On (SSO) to CA ControlMinder Enterprise Management.
  9. Install the RSA Authentication Manager on a dedicated host.

    RSA Authentication Manager authenticates users access requests.

Each time a user tries to log in to CA ControlMinder Enterprise Management, RSA SecurID prompts the user for a valid RSA SecurID credentials instead of CA ControlMinder Enterprise Management user account details. If authenticated, RSA SecurID logs the user in to CA ControlMinder Enterprise Management.

Note: For more information about the RSA SecurID web Agent and Authentication Manager, refer to the RSA SecurID website.

How RSA SecurID Authenticates Users Login

When you integrate the Enterprise Management Server with RSA SecurID, each time a user logs into CA ControlMinder Enterprise Management,RSA SecurID authenticates the login request.If RSA SecurID validates the user login, the user automatically gains access to CA ControlMinder Enterprise Management.

The following diagram illustrates how RSA SecurID authenticates user logins to CA ControlMinder Enterprise Management:

The folllowing diagram illustrates how RSA SecurID authenticates users:

Configuring a Web Server as a Reverse Proxy Server

When a user attempts to login to CA ControlMinder Enterprise Management, RSA SecurID intercepts the request and prompts the user for a valid SecurID user name and password. The Web server you installed acts as a reverse proxy server that receives login requests from the RSA Authentication Web agent on the Enterprise Management Server and forwards the requests to the RSA Authentication Manager.

A reverse proxy is a gateway for other servers that enables one web server to provide content from another.

Example: Configuring Internet Information Services 7.0 on Windows Server 2008 as a Reverse Proxy Server

In this example, Steve the system administrator installed the Enterprise Management Server and Internet Information Services (IIS) 7.0 on a Windows Server 2008 with the Application Request Routing (ARR) module installed. The ARR module enables the IIS to act as a proxy server.

  1. Steve enables the IIS proxy settings on the internet Information Services server:
    1. Selects Start, Administrative Tools, internet Information Services (IIS) Manager

      The internet Information Services (IIS) Manager console opens.

    2. Selects the host from the left pane to expend the actions pane and selects the Application Request Routing Cache icon.

      The Application Request Routing Cache management console opens.

    3. Selects Server Proxy Settings from the actions pane.
    4. Marks the Enable Proxy check box and clicks Apply.

      Steve has enabled the IIS proxy settings.

  2. Steve configures the IIS to forward requests to the Enterprise Management Server:
    1. Expands the Sites menu and selects the default website.
    2. Highlights the URL Rewrite icon and selects Open Feature from the Actions menu.

      The URL Rewrite configuration console opens.

    3. Selects Add Rules from the Actions menu.

      The Add Rules window opens.

    4. Under the Inbound Rules, selects Blank Rule and clicks Ok.

      The Edit Inbound Rule configuration window opens.

    5. Specifies the rule name and selects (iam.+) from the Patterns menu.
    6. Scrolls down to the Action section and selects Rewrite from the Action type menu.
    7. Enters the CA ControlMinder Enterprise Management URL in the URL Rewrite filed using the following format.
      http://enterprise_host:8080/{R:0}
      
    8. Clicks Apply to create the rule.

      The new inbound rule is created.

    9. Repeats steps c to h using (castyles.+) from the Patterns menu.

      Steve has configured the IIS to forward requests to the Enterprise Management Server.

  3. Steve configures RSA SecurID to secure the web server:
    1. Selects the Default Web Site in the internet Information Services (IIS) Manager console and double clicks the RSA SecurID icon.

      The RSA SecurID settings window opens.

    2. Selects the following check boxes:
      • Enables RSA SecurID Web Access Authentication Feature on This Server
      • Protect This Resource
    3. Selects apply from the Actions menu
  4. Steve configures the RSA Web Agent to enable Single Sign Off (SSO) for CA ControlMinder Enterprise Management
    1. Opens the regedit utility and navigates to the following location:
      HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\RSAWebAgent
      
    2. Creates a registry key of type DWORD under the name RSAUSERCustomHeader.
    3. Sets the registry key value to 1

    Steve has configured Internet Information Services as a reverse proxy server.

Example: Configuring the Apache Web server 2.2.6 as a Reverse Proxy Server on a Red Hat Enterprise Linux 5.0

In this example, Steve the system administrator installed the Enterprise Management Server on a Red Hat Enterprise Linux 5.0. Steve now needs to install and configure the Apache Web Server 2.2.6 as a reverse proxy server.

  1. Steve does the following to install and configure the Apache Web Server 2.2.6 with the proxy module:
    1. Configures the Apache Web Server 2.2.6 installation to install the proxy module, as follows:
      tar -zxvf httpd_2.2.6.tar.gz 
      ./configure --prefix=/usr/local/apache --enable-proxy --enable-proxy-http 
      make 
      make install 
      

      The Apache Web Server 2.2.6 is installed with the proxy module.

  2. Steve does the following to configure the reverse proxy:
    1. Navigates to the conf directory of the Apache web server.
    2. Opens the httpd.conf file for editing.
    3. Locates the LoadModule list of entries and adds the following section:
      # Used for proxy to the Enterprise Management Server
      ProxyPass	/iam http://196.168.1.1:8080/iam
      ProxyPass	/castylesr5.1.1 http://192.168.1.1:8080/castylesr5.1.1
      ProxyPassReverse	/iam http://192.168.1.1:8080/iam
      
    4. Saves and closes the file.
    5. Restarts the Apache Web Server.

    Steve configured the Apache Web Server 2.2.6 to act as a reverse proxy server.

  3. Steve configures the RSA web agent to ignore the web browser IP address for cookie validation:
    1. Navigates to the RSA web agent installation directory:
      /usr/local/apache/rsawebagent/
      
    2. Runs the RSA web agent configuration utility.
    3. Selects the RSA server that is currently in use from the list.
    4. Browses to the second configuration screen.
    5. Verifies that the Ignore browser IP address for cookie validation is enabled.

    Steve has configured the RSA web agent to ignore the web browser IP address for cookie validation.

  4. Steve configures the RSA web agent to enable Single Sign Off (SSO) for CA ControlMinder Enterprise Management:
    1. Opens the Linux web agent distribution and locates the following file:
      rsacookieapi.tar
      
    2. Copies the file to a temporary directory and extracts the content of the file.
    3. Locates the following files:
      • RSACookieAPI.jar
      • librsacookieapi.so
    4. Copies the librsacookieapi.so file to the following location, where JBOSS_HOME indicates the location where Steve installed Jboss:
      JBOSS_HOME/server/default/deploy/IderntityMinder.ear/library
      
    5. Copies the RSACookieAPI.jar file to the following location:
      JBOSS_HOME/server/default/deploy/IderntityMinder.ear/user_console.war/WEB-INF/lib/
      

    Steve configured the RSA web agent to enable SSO for CA ControlMinder Enterprise Management.