RSA Authentication Manager 7.1

Lately I have been working on an installation of RSA Authentication Manager 7.1 For those familiar with SecurID and other previous versions of this software this is almost a complete rewrite of the previous version. Oracle is used as the internal database and BEA is used as application server. as you might guess the software is rewritten into Java.

I do not consider my installation to be big of any kind. I have installed two servers with the base license and configured everything from there.

In this process I have gained some experience - both bad and good on how RSA products work and how their support works.

I have used their support several times and they have to this date always answered me quickly and with an answer that I can accept.

But the way they manage their licenses and support is not always easy to cope with. To download seed files (files to configure tokens) I first had to install an SSL certificate and then authenticate myself using that certificate. Duh, security sucks from time to time.

Important for your strong security infrastructure is application support. AM7.1 comes out of the box with

• Windows web agent for IIS
  
• Windows client agent (GINA replacement, off-line authentication mm)
• Windows EAP agent for use with Dial-up networking
• Apache web agent (unsure of what platforms)
• Java web agent

This sounds great? I thought so myself. But then I started to look into the agent support.

Web agent for JAVA

Only Solaris platform is supported. Not good.

Web agent for IIS

This agent supports some versions of IIS. Currently x32 and x64 Windows 2003 and some Windows 2000. Windows 2008 is not supported yet, but RSA have promised something during H1 2008.
The IIS agent is straight forward. You just choose the site to protect, and you are protected. Single-signon is supported for two applications; Sharepoint and Outloook Web Access.
Development support is limited to a COM object you can call to ask for logged on user and store some data in an encrypted cookie.
.NET is not supported, except for COM interop. The application has to run in SYSTEM context.

ISA server support

The ISA Server can do RSA authentication out of the box. (Configuring support is not something you do easily...) When configured with RSA support you have to authenticate before you ever get to the web site.
There is no authentication information passthrough (unless you have the web agent installed on the client) so the users needs to log on again.

Publish MOSS with ISA 2006

If you publish Sharepoint/MOSS 2007 sites with ISA server 2006 you can experience problems with versioning adn check-out/check-in. The symptoms occurs when the ISA server publishes via an SSL certificate and the web site on MOSS is unsecured.

The cause of this is that the ISA server adds :443 to the Host HTTP header.

Extract files from an MSI file

If you ever need to extract files from within MSI files, or add standalone cab files into an existing MSI file - here is the tool to do so.

Msidb.exe (Windows): "Msidb.exe uses MsiDatabaseImport and MsiDatabaseExport to import and export database tables and streams."

Strobist

Strobist: "Learn How to Light"

Forefront TMG (ISA Server) Product Team Blog : Walk-through for RSA SecurID Delegation for ISA Server 2006

Forefront TMG (ISA Server) Product Team Blog : Walk-through for RSA SecurID Delegation for ISA Server 2006: "Walk-through for RSA SecurID Delegation for ISA Server 2006"

AM71 and backup causing corruption

BackupExec and Oracle does not work well together. At least when not configured correctly.

I was working on an RSA SecurID Autentication Manager 7.1 installation that stopped each night.

Symptom

In the <servername>_server.log I found this error message:

java.sql.SQLException: ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
 

Cause

After looking around for a while I got a hold of TOAD and started to look into the data in the Oracle server. When I tried to dig in to the data I got an error message about the data files. That made me find this excellent blog post about Oracle data files that gets into RECOVER mode because of backup related issues.

By following the steps explained there I made the server work again.

If you need to obtain the Oracle sys password, read here.

How to get AM71 Oracle master password

Do you need to connect to the Oracle server that runs behind the RSA Authentication Manager 7.1? (The new version of SecurID.)

On the server, in the installation catalog\utils, run this command:

rsautil manage-secrets -a listall

In return you will get a password. You can then connect to the Oracle server using sqlplus:

sqlplus sys/<password> as sysdba

ISA server 2006 and RSA SecurID/AM7 configuration

Forefront TMG (ISA Server) Product Team Blog : Walk-through for RSA SecurID Authentication for ISA Server 2006 Part 2: ISA Array Members Preparation: "RSA SecurID Authentication for ISA Server 2006"