Previous Topic: RSA InstallationNext Topic: Token Management

CA Identity Manager Connector GuidesConnectors GuideConnecting to EndpointsRSA ACE (SecurID) ConnectorConnector Specific Features

Connector Specific Features

This section details your connector's specific management features, such as how to acquire and explore your endpoint. Also included are account, provisioning roles, account template, and group information specifically for your connector.

Acquire an RSA ACE Server Using the User Console

You must acquire the RSA ACE server before you can administer it with CA Identity Manager.

To acquire an RSA ACE server using the User Console

  1. Select Endpoints, Manage Endpoints,Create Endpoint
  2. Select RSA from the drop-down list box on Create a new endpoint of Endpoint Type, and click Ok

    Use the Create RSA Endpoint page to register an RSA ACE server. During the registration process, CA Identity Manager identifies the RSA ACE server you want to administer and gathers information about it.

  3. After entering the required information, click Submit.

    You are now ready to explore and Correlate the endpoint.

  4. Click Endpoints, Explore and Correlate Definitions, Create Explore and Correlate Definition to explore the objects that exist on the endpoint.

    The Exploration process finds all RSA accounts and groups. You can correlate the accounts with global users at this time or you can correlate them later.

  5. Click OK to start a new definition.
  6. Complete the Explore and Correlate Tab as follows:
    1. Fill in Explore and Correlate name with any meaningful name.

      Click Select Container/Endpoint/Explore Method to click an RSA endpoint to explore.

    2. Click the Explore/Correlate Actions to perform:
      • Explore directory for managed objects—Finds objects that are stored on the endpoint and not in the provisioning directory.
      • Correlate accounts to users—Correlates the objects that were found in the explore function with users in the provisioning directory. If the user is found, the object is correlated with the user. However, you can instead select that you want to assign the account to the existing user (the default user) or create the user.
      • Update user fields—If a mapping exists between the object fields and the user fields, the user fields are updated with data from the objects fields.
  7. Complete the Recurrence tab if you want to schedule when the task to executes.
    1. Click Schedule.
    2. Complete the fields to determine when this task should execute.

      You may prefer to schedule the task to execute overnight to interfere less with routine access of the system.

    Note: This operation requires the client browser to be in the same time zone as the server. For example, if the client time is 10:00 PM on Tuesday when the server time is 7:00 AM, the Explore and Correlate definition will not work.

  8. Click Submit.

To use an explore and correlate definition

  1. In a CA Identity Manager environment, click Endpoints, Execute Explore and Correlate.
  2. Click an explore and correlate definition to execute.
  3. Click Submit.

    The user accounts that exist on the endpoint are created or updated in CA Identity Manager based on the explore and correlate definition you created.

Acquire an RSA ACE Server Using the Provisioning Manager

You must acquire the RSA ACE/Server machine before you can administer it with CA Identity Manager. When acquiring an RSA ACE/Server machine, perform the following steps.

From the Endpoint type task view

  1. Register the machine as an endpoint in CA Identity Manager.

    Use the RSA ACE (SecurID) Endpoint property sheet to register an RSA ACE/Server machine. During the registration process, CA Identity Manager identifies the RSA ACE/Server machine you want to administer and gathers information about it.

  2. Explore the objects that exist in the endpoint.

    After registering the machine in CA Identity Manager, you can explore its contents. Use the Explore and Correlate Endpoint dialog. The Exploration process finds all RSA ACE (SecurID) objects. You can correlate the accounts with global users at this time or you can correlate them later.

  3. Correlate the explored accounts to global users

    When you correlate accounts, CA Identity Manager creates or links the accounts on an endpoint with global users, as follows:

    1. CA Identity Manager attempts to match the username with each existing global user name. If a match is found, CA Identity Manager associates the RSA ACE (SecurID) account with the global user. If a match is not found, CA Identity Manager performs the next step.
    2. CA Identity Manager attempts to match the account name with each existing global user's full name. If a match is found, CA Identity Manager associates the RSA ACE (SecurID) account with the global user. If a match is not found, CA Identity Manager performs the following step.
    3. If the Create Global Users as Needed button is checked, CA Identity Manager creates a new global user and associates the RSA ACE (SecurID) account with the global user. If the Create Global Users as Needed button is unchecked, then CA Identity Manager performs the next step.
    4. CA Identity Manager associates the RSA ACE (SecurID) account with the [default user] object.

RSA Endpoint Property Sheet

The RSA Endpoint Property sheet lets you register or view the properties of an RSA ACE server. From the RSA Endpoint Tab you can specify the endpoint name, host name, account template information, and the password change propagate mode.

Password Change Propagate Mode

The password change propagate mode on the Endpoint Tab of the Endpoint Property Sheet, specifies the way that the Password and PIN changes are handled during a change event. The following scenarios are possible:

  1. If neither the Password Change nor PIN Change check boxes are checked, the password change will not occur.
  2. If the Password Change check box is selected, but the PIN Change check box is not selected, only the user password will be changed to the value provided in the eTPassword attribute. No modifications will be applied to the assigned tokens.
  3. If the Password Change check box is not selected, but the PIN Change check box is selected, only the value of the PIN for the assigned tokens will be changed to the value provided in the eTPassword attribute.
  4. If both the Password Change check box and PIN Change check box are selected, both the user password and assigned tokens PINs will be changed to the value provided in the eTPassword attribute.

    Note: For 4, if the user does not have any tokens assigned to them, the request to modify the eTPassword attribute is treated as a request to assign the password to the user using the value provided in the eTPassword attribute.

    Note: For 3 and 4, if the user has more than one token assigned, the PIN reset applies to ALL of the tokens that are in possession of the user. The PIN associated with each assigned token is changed to the value provided in the eTPassword attribute.

RSA Account Templates

The RSA DefaultPolicy, provided with the RSA ACE (SecurID) connector, gives a user the minimum security level needed to access an endpoint. You can use it as a model to create new account templates.

Note: You can create RSA account templates that are associated with multiple endpoints. These account templates can only be used to grant privileges to existing accounts.

RSA Groups

You can create and maintain RSA ACE (SecurID) groups using the Endpoint type task view. Use the RSA Group property sheet when managing your groups.