CA Identity Manager Connector Guides › Connectors Guide › Connecting to Endpoints › RSA Authentication Manager SecurID 7 Connector › Connector Specific Features › How You Acquire and Manage RSA 7.1 Endpoints

How You Acquire and Manage RSA 7.1 Endpoints

Before you can administer an RSA 7.1 endpoint with the Provisioning Manager, acquire the endpoint. When acquiring an RSA 7.1 endpoint, perform the following steps from the Endpoint task view:

1. Acquire the RSA server as an endpoint in the Provisioning Manager.
2. Explore the objects that exist in the endpoint.

   After registering the computer in the Provisioning Manager, you can explore its contents. The exploration process finds all RSA objects. You can correlate the accounts with global users at this time, or you can wait to correlate them.

3. Correlate the explored accounts to global users. You can:
   • Use existing global users. Use existing global users when there are already global users in the Provisioning Manager and you want to connect the existing global users to the RSA accounts
   • Create global users as needed. Create global users when there are no global users and you want to populate the Provisioning Manager from the RSA accounts.

     When you correlate accounts, the Provisioning Manager creates or links the accounts on an endpoint with global users, as follows:

   • The Provisioning Manager attempts to match the RSA account name with each existing global user name. If a match is found, the Provisioning Manager associates the RSA account with the global user. If a match is not found, the Provisioning Manager performs the next step.
   • The Provisioning Manager attempts to match the RSA account with each existing global user's full name. If a match is found, the Provisioning Manager associates the RSA account with the global user. If a match is not found, the Provisioning Manager performs the next step.
   • The Provisioning Manager associates the RSA account with the [default user] object or a new global user is created depending on your choice.

Acquire an RSA SecurID 7 Endpoint

Acquire and register an RSA SecurID 7 endpoint before you can administer it with the Provisioning Manager.

To acquire an RSA SecurID 7 endpoint

1. In the Provisioning Manager, click the Endpoints button.
2. In the Object Type list, select RSA SecurID 7 [DYN Endpoint], then click New.

   The RSA SecurID namespace dialog appears.

3. On the endpoint tab, specify the Username and Password of a privileged RSA local user, and the command credentials for the RSA endpoint.

   Note: Command client credentials are generated on an RSA server and work only with that RSA installation. You require different command credentials for each RSA installation. However, although different realms defined on one RSA server correspond to different CA Identity Manager endpoints, you can use the same command credentials to acquire them.

4. Complete the remaining fields on the Endpoint tab, then click OK.
5. Complete the fields on the Endpoint Settings tab.

   The various settings that apply to controlling endpoints, such as password propagation and synchronization are specified.

6. Complete the fields on the General 1 tab.

   You have defined the time zone associated with group access times.

7. Complete the fields on the Program Exits Reference tab.

   Program exits are viewed added edited or removed as specified.

8. Complete the fields on the Attribute Mapping tab.

   The default attribute mapping defined in the schema file for the endpoint type are specified.

9. Complete the fields on the Logging tab.

   The logging settings for the new endpoint are specified.

10. Click OK.

    You have specified the administrative and connection details of an RSA SecurID endpoint.

Account Management

The RSA 7.1 SecurID connector supports the following account management operations:

• Creating, modifying, renaming, moving and deleting accounts
• Creating, modifying and deleting account templates
• Creating, renaming, moving, modifying, and deleting trusted users
• Adding and removing local and trusted users to and from groups

Add Accounts

To create an account for a user on the RSA endpoint, create a user and specify the details of their account.

To add accounts

1. In the Provisioning Manager, click the Endpoints button and select SecurID 7 [DYN Endpoint] in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to add accounts, then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select User Account in the Object Type list and click New.

   The User Account dialog appears General 1 tab appears.

6. On the General 1 tab, specify the basic details of the user account you want to add.
7. On the General 2 tab, specify the authentication details of the user account.
8. On the General 3 tab, specify that you want to assign the next available token and clear the incorrect passcode counter.
9. On the Identity Source tab, select the Identity Source where you want to add the user.
10. On the RADIUS profile tab, assign a RADIUS profile to the user.
11. On the Administrative Roles tab, assign an administrative role to the user.
12. On the SecurID Tokens tab, assign a token to the user.
13. On the Member of tab, add the user to a group.
14. Click Ok.

    The user account is created on the RSA endpoint.

Update Accounts

To modify the details of a user account update the user account on the RSA endpoint.

To update accounts

1. In the Provisioning Manager, click the Endpoints button and select SecurID 7 [DYN Endpoint] in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to update accounts and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Properties.
7. Modify the properties on the User Account dialog and then click Apply.

   The details of the user account are modified.

Delete Accounts

If you want to remove an account from an endpoint you can delete the account.

To delete accounts

1. Click the Endpoints task button and select SecurID 7 [DYN Endpoint] in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove the account and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Delete.
7. When prompted, confirm that you want to delete the account.

   The account is deleted.

Create an Account Template

You can create account templates that specify a set of attributes and for all users assigned the account template.

To create account templates

1. Click the Roles task button and select the RSA SecurID 7 [DYN Account Template] type in the Object Type drop-down list.
2. Click New.

   The RSA SecurID 7 Account Template dialog appears.

3. On the Endpoints tab, specify an endpoint for this account template.
4. On the General 1 tab, specify the users details and account credentials for accounts provisioned with this template.

   Important! If you are creating an account template for trusted users, delete the rule string %P% from the Password field. If you do not delete the rule string, the account template creation for the global user will fail.

5. On the General 2 tab, specify the authentication settings for users that are provisioned with this account template.

   Important! If you are creating an account template for trusted users, delete the rule string %XD% from the Start date field, and delete the rule string %UL% from the Last name field. If you do not delete the rule strings, the account template creation for the global user will fail.

6. On the Identity source tab, specify the identity source that accounts based on the template are assigned.
7. On the RADIUS Profile tab, specify the RADIUS profile that accounts based on this template are assigned.

   On the Administrative Roles tab, specify the administrative roles that accounts based on the template are assigned.

8. On the Member of (Trusted Groups) tab, specify the trusted groups that accounts based on the template are members of.
9. On the Member of tab, specify the groups that accounts based on the template are members of.
10. Click OK.

    The account template for the RSA endpoint is created.

Edit an Account Template

You can modify the account templates that specify a set of attributes and privileges for all users assigned the account template.

To edit an account template

1. Click the Roles task button and select and select the RSA SecurID 7 [DYN Account Template] type in the Object Type drop-down list.
2. Click Search.

   The account templates for the system domain you selected appear in the list view.

3. Right-click an account template in the list view and then click Properties.

   The RSA SecurID 7 Account Template dialog appears.

4. Complete the fields on the General 1 tab to specify the users details and account credentials for accounts provisioned with this template.
5. Complete the General 2 tab to specify authentication settings for users that are provisioned with this account template.
6. Complete the fields on the Identity source tab to specify the identity source that accounts based on the template are assigned.
7. Complete the fields on the RADIUS Profile tab to specify the RADIUS profile that accounts based on this template are assigned.
8. Complete the Administrative Roles tab to specify the administrative roles that accounts based on the template are assigned.
9. Complete the Member of (Trusted Groups) tab to specify the trusted groups that accounts based on the template are members of.
10. Complete the Member of tab to specify the groups that accounts based on the template are members of.
11. Click OK.

    The account template for the RSA endpoint is updated.

Delete an Account Template

You can delete account templates for the RSA 7.1 SecurID endpoint.

To delete account templates

1. Click the Roles task button and select the RSA SecurID 7 [DYN Account Template] type in the Object Type drop-down list.
2. Click Search.

   The account templates for the system domain you selected appear in the list view.

3. Right-click an account template you want to delete and then click Delete.
4. When prompted, confirm that you want to delete the account template.

   The account template is deleted.

Create a Trusted User

To create a user that can authenticate through realms other than their own you can create a trusted user. When you create a user account, you append the name of the trusted realm you want the user to authenticate through to the users login id, which identifies the user as a trusted user.

To create a trusted user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to create a trusted user and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select User Account in the Object Type list and click New.

   The User Account dialog appears General 1 tab appears.

6. On the General 1 tab, define a login id for the user, then select the trusted realm you want the trusted user to authenticate through from the drop-down list next to the Login Id field.
7. Complete the Notes field if required.
8. If required complete the Default Shell field in the General 2 tab on the User Account dialog, then click OK.
9. Complete the required fields on the other tabs on the User Account dialog, then click OK.
10. On the RADIUS profile tab, assign a RADIUS profile to the user.
11. On the Member of (Trusted Group) tab, add the user to a trusted group.

    The trusted user is created, and is assigned a login id in the following format:

    Remote_username< delimiter >Realm_name

    For example, UserName01 % CA.

More information:

Local and Remote User Support

Move a Local or Trusted User into a Different Security Domain

If you want to manage a local or trusted user under a different security domain, you can move the user or local user to another security domains within the realm.

To move a local user or trusted user into a different security domain

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurId 7 [DYN Endpoint] type in the Object Type drop-down list .
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to move a local or trusted user, and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type box and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Move.

   The Move in Hierarchy dialog appears.

7. Select the Security Domain you want to move the account into.
8. Click OK.

   The account is moved into the security domain you selected.

Update a Trusted User

If the account details of a user change, you can update the details of a trusted user.

To update a trusted user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to update a trusted user, and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Properties.
7. Modify the properties on the User Account dialog and then click Apply.

   The details of the user are modified.

Rename a Trusted User

If the login id or the trusted realm the user belongs to change, you can change the details of users login id.

To rename a trusted user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search to search for the endpoint on which you want to update the account.
3. Right-click the endpoint on which you want to rename a trusted user and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click a trusted account in the list view and then click Rename.

   The Rename dialog appears.

7. Type the new name of the trusted user in the New name field in the following format:

   Remote_username <delimiter> Realm_name

   For example, UserName01 % CA.

More information:

Local and Remote User Support

Delete a Trusted User

To remove a trusted user from an endpoint you can delete the trusted user account.

To delete trusted users

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to delete a trusted user and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click a trusted user in the list view and then click Delete.
7. When prompted, confirm that you want to delete the trusted user.

   The trusted user is deleted.

How to Add Trusted Users to Trusted Groups

To add trusted users to trusted groups you can do either of the following:

• Edit an individual trusted user and specify which trusted groups the user is a member of
• Edit a trusted group and specify the trusted members of the group

Add Trusted Users to Trusted Groups

To manage trusted users as group, you can specify which trusted groups a user is member of.

To specify which trusted groups the user is a member of

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to specify which trusted groups a user is a member of, and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select User in the Object Type list and click Search.

   The list of users appears in the list view.

6. Right click the user you want to add to a trusted group, then click Properties.

   The User dialog General 1 tab appears.

7. Click the Member of (Trusted Groups) tab.
8. Search for the trusted groups you want to add the user to.

   The trusted groups you can assign to the trusted user appear in the Available list.

9. In the Available list, select the trusted group or group you want to add the user to,and then move the trusted group or groups to the Assigned list, then click OK.

   The trusted users you selected are added to the trusted group.