Thursday, March 26, 2009

RSA Authentication Manager 7.1

Lately I have been working on an installation of RSA Authentication Manager 7.1 For those familiar with SecurID and other previous versions of this software this is almost a complete rewrite of the previous version. Oracle is used as the internal database and BEA is used as application server. as you might guess the software is rewritten into Java.

I do not consider my installation to be big of any kind. I have installed two servers with the base license and configured everything from there.

In this process I have gained some experience - both bad and good on how RSA products work and how their support works.

I have used their support several times and they have to this date always answered me quickly and with an answer that I can accept.

But the way they manage their licenses and support is not always easy to cope with. To download seed files (files to configure tokens) I first had to install an SSL certificate and then authenticate myself using that certificate. Duh, security sucks from time to time.

Important for your strong security infrastructure is application support. AM7.1 comes out of the box with

  • Windows web agent for IIS
  • Windows client agent (GINA replacement, off-line authentication mm)
  • Windows EAP agent for use with Dial-up networking
  • Apache web agent (unsure of what platforms)
  • Java web agent
This sounds great? I thought so myself. But then I started to look into the agent support.

Web agent for JAVA

Only Solaris platform is supported. Not good.

Web agent for IIS

This agent supports some versions of IIS. Currently x32 and x64 Windows 2003 and some Windows 2000. Windows 2008 is not supported yet, but RSA have promised something during H1 2008.
The IIS agent is straight forward. You just choose the site to protect, and you are protected. Single-signon is supported for two applications; Sharepoint and Outloook Web Access.
Development support is limited to a COM object you can call to ask for logged on user and store some data in an encrypted cookie.
.NET is not supported, except for COM interop. The application has to run in SYSTEM context.

ISA server support

The ISA Server can do RSA authentication out of the box. (Configuring support is not something you do easily...) When configured with RSA support you have to authenticate before you ever get to the web site.
There is no authentication information passthrough (unless you have the web agent installed on the client) so the users needs to log on again.

posted by Helge Olav Helgsen @ 01:16   1 comments links to this post

1 Comments:

At 11:12, Anonymous jkdas said...

On what hardware did you install it? Did you face any other issues?

 

Post a Comment

Links to this post:

Create a Link

<< Home