RSA SecurID Ready Implementation Guide Last Modified Thursday, May 08, 2003 1. Partner Information Partner Name Web Site Product Name Version & Platform Product Description Product Category Netegrity, Inc. www.netegrity.com SiteMinder 4.6.1 SP5 & 5.5 SP1 (W2K, Solaris, HP-UX, AIX, Linux), Netegrity SiteMinder enables companies to centrally administer and enforce user authentication and authorization management as well as by provide single signon (SSO) to users. SiteMinder's advanced management tools offer fast development, deployment, and management of sophisticated web security systems Access Management 2. Contact Information Sales Contact Support Contact E-mail sales@netegrity.com Support@Netegrity.com Phone (800) 325-9870 781-890-1700 Web www.netegrity.com www.netegrity.com/support 1
3. Solution Summary Feature Authentication Methods Supported Details Native SecurID ACE/Agent Library Version 5.02 ACE 5 Locking Replica ACE/Server Support Secondary RADIUS/TACACS+ Server Support Location of Node Secret on Client ACE/Server Agent Host Type SecurID User Specification SecurID Protection of Administrators Yes Full Replica Support Yes Registry or Windows: \winnt\system32 Unix: /var/ace Net OS, UNIX Designated users Yes 2
4. Product Requirements Hardware requirements Component Name: SiteMinder CPU make/speed required Memory HD space Pentium 3 600Mhz 128 MB (256 MB recommended) 100 MB (500 MB recommended) Component Name: SiteMinder CPU make/speed required Memory HD space Sparc or other UNIX 128 MB (256 MB recommended) 100 MB (500 MB recommended) Software requirements Component Name: SiteMinder Operating System Version (Patch-level) NT 4.0 SP5 or SP6a Windows 2000 SP1 Solaris 2.6 kernel update = 105181-17 C++ shared library = 105591-09 libc = 105210-25 libthread = 105568-14 Solaris 2.7 kernel update = 106541-08 C++ shared library = 106327-08 libthread = 106980-07 Solaris 2.8 Core Solaris libraries = 108827-12 HP-UX 11.0, 11i PHSS_26263 Web Server: IIS 4, IIS5, iplanet Web Server Enterprise Edition 4.0 or later, Netscape Enterprise Web Server 3.6x or later Browser: Netscape Communicator 4.06, 4.5, 4.6 or later, or Microsoft Internet Explorer 4.0, 4.01, or 5.0 (with Java Virtual Machine 4.79.0.2424 or newer). If you use an older 4.x version of Netscape, you must get the Java 1.1 Patch from http://developer.netscape.com. 3
5. Partner ACE/Agent configuration This document will define how to configure SiteMinder to authenticate users to protected resources using RSA SecurID hardware tokens. SecurID Scheme Prerequisites To use the SecurID authentication scheme, the following criteria must be met: The RSA ACE/Client software must be installed on the same machine as the SiteMinder Policy Server. The ACE/Server must have the Policy Server defined as a client to the ACE/Server. A local test authentication from the ACE/Client on the Policy Server must be successful. Configuration Steps: 1. Install and configure the SiteMinder Web Agent on the appropriate web servers that will provide access to resources managed by SiteMinder. 2. Within the SiteMinder Policy Server create a Policy Domain (see Figure 1). A policy domain is a logical grouping of resources associated with one or more user directories. Figure 1 4
3. Create a SecurID Authentication Scheme (see Figure 2). When a user attempts to access a protected resource, SiteMinder uses the Authentication Scheme associated with the resource s realm to identify the user. Figure 2 5
4. Create a Realm (see Figure 3). A realm is a cluster of resources within a policy domain grouped together according to security requirements. The contents of a Realm are protected by Agents. When users request resources within a realm, the associated Agent handles authentication and authorization of the user. Figure 3 6
5. Create a Rule (see Figure 4). SiteMinder rules identify specific resources and either allow or deny access to the resources. Figure 4 7
6. Create a Policy. Policies define how users interact with resources. When a Policy is defined in SiteMinder, you link together (bind) different SiteMinder objects that identify users, resources, and actions associated with the resources. Policies are stored in Policy domains. When you configure a policy, you can select users and groups from the user directories available in the policy domain (see Figure 5). Figure 5 8
SiteMinder identifies resources through rules. When you create a policy, you can select rules that specify the resources you want to include in a policy (see Figure 6). SecurID Passcode prompts Figure 6 Figure 7 - Standard Prompt 9
Figure 8 - New Pin Mode Figure 9 - Next Tokencode Mode 10
6. Certification Checklist Date Tested: August 8, 2002 Product Tested Version ACE/Server 5.01 ACE/Agent 5.03 build 488 SiteMinder 4.61 SP4, 5.5 SP1 Test ACE RADIUS 1 st time auth. (node secret creation) P N/A New PIN mode: System-generated Non-PINPAD token P N/A PINPAD token P N/A User-defined (4-8 alphanumeric) Non-PINPAD token P N/A Password P N/A User-defined (5-7 numeric) Non-PINPAD token P N/A PINPAD token P N/A SoftID token P N/A Deny 4 digit PIN P N/A Deny Alphanumeric P N/A User-selectable Non-PINPAD token P N/A PINPAD token P N/A PASSCODE 16 Digit PASSCODE P N/A 4 Digit Password P N/A Next Tokencode mode Non-PINPAD token P N/A PINPAD token P N/A Replica Servers P N/A User Lock Test (ACE Lock Function) P N/A No ACE/Server P N/A JRV P=Pass or Yes, F=Fail, * = See Section 7 Known Issues N/A=Non-available function 11
7. Known Issues There are no known issues. 12