Checking Backup Files on RSA Appliance

Backups are scheduled on the RSA appliance via the Operation Console.  However, we will need to retrieve the backup at times.  Where are the backup files residing in the system?

1. Login using the account emcsrv and key in the password when prompted.

2. Change to root and key in the password when prompted:

    bash-3.00$ sudo su -

3. Navigate to the directory where the backup files reside:

    [root@Primary/ ]# cd /var/cap/backups/

6. List the backup files using the below command:

    [root@Primary/ ]# ls -ltr

7. The backup files will be display as follows:

Changing NTP Server On RSA Appliances

In order to change the NTP server, we will have to carry out the following steps via Putty (An open source telnet and SSH Client for the Windows and Unix platforms):

1. Login using the account emcsrv and key in the password when prompted.

2. Change to root and key in the password when prompted:

    bash-3.00$ sudo su

3. Navigate to the directory where the NTP configuration file resides:

    bash-3.00$ cd /etc

4. Edit the file NTP.CONF and locate the “server” line. Specify the NTP server to be added and save the file:

    bash-3.00$ vi ntp.conf

    For example:
    # server mytrustedtimeserverip
    server 192.168.7.22

5. Enter the below command to enable the NTPD service to start when the appliance is rebooted:

    [root@Primary/ ]# /sbin/chkconfig –levels 2345 ntpd on

6. Restart the NTPD service for the change to take effect:

    [root@Primary/ ]# /sbin/service ntpd restart

7. The appliance immediately synchronizes its time with the NTP server and sets the hardware clock automatically.  You can verify that the NTPD service is running using the below command:

    [root@Primary/ ]# ntpq –p

Repeat the above steps at the Replica.

Security Certificate Issued Was Not From A Trusted Certificate Authority

Since we migrated to the new RSA SecurID Appliances 3.0, we always get a Security Alert notification that the security certificate was not from a trusted Certificate Authority when logging on to the RSA Security Console.

 

To remove this alert, the following steps need to be carried out to save the RSA Self-Signed Root certificate on the RSA Authentication Manager’s admin console:

1.    Log on to the RSA Security Console via URL: https://<FQDN>:7004/console-ims
 

2.    Since this certificate is not trusted by the browser, a Security Alert warning is displayed. In Windows Internet Explorer, click Continue to this website (not recommended).

3.    Next, a red Address Bar and a certificate warning appears.
 

4.    Click the Certificate error button to open the information window
 

 

5.    Click View Certificates to continue. The web certificate is presented to you. Click on the top tab labelled Certification Path.

  

6.    Double click on the untrusted certificate "RSA Authentication Manager Root CA" and click Install Certificate... 

 

7.    The Certificate Import Wizard appears. Click Next to continue.

 

8.    Choose "Automatically select the certificate store based on the type of certificate" and click Next to continue.   

 

9.    Click Finish and follows by Yes to import the certificate when a warning message appears. Click OK to continue.

 

10.  Continue to click OK through the screens to get back to the main window.

 

These steps must be performed with Internet Explorer on any machine that will browser to the Authentication Manager Consoles.

RSA Secure Logon via SecurID Passcode

Our RSA administrators are required to use 2 Factors Authentication (2FA) for access to the RSA Security Console.  However, the RSA Secure Logon prompts for Password by default.  The administrator is not able to logon using SecurID Passcode (i.e. RSA 2FA).

  

In order to enable the administrators to access the RSA Security Console using RSA 2FA, the following steps are carried out to enable logon via SecurID Passcode:

1.     Access the Security Console via https://<FQDN>:7004/console-ims and select Authentication Methods under the Setup tab.  You will notice that the Console Authentication was configured to accept either LDAP_Password or RSA_Password.

2.     Append /SecurID_Native immediately after RSA_Password/LDAP_Password under Console Authentication and click Save.

3.     When the Confirmation Required dialog box appears, click on the box beside Update Authentication Methods Configuration Confirmation: to update authentication methods configuration and click on Update Authentication Methods Configuration.
 

4.     The next screen will shows the below message:

              Updated authentication configuration setting.

5.     Logout off from the Security Console and re-access the Security Console via https://<FQDN>:7004/console-ims.

6.     You will notice that the RSA Secure Logon allows the administrator to select the different Authentication Method (i.e. either Password or SecurID Passcode).

 

The administrators will now able to access the Security Console using 2FA via the SecurID Passcode (i.e. PIN + RSA token code).

Error 1324: The path RSA Security contains an invalid character (2)

Due to a security vulnerability found in the older version of the RSA agent, we upgraded the RSA agent for all Windows 2003 servers to 7.1.2.  Majority of the upgrade were smooth except the 2 Exchange 2003 servers.  When trying to upgrade the RSA agent on the Exchange servers to version 7.1.2, we encountered the below error message:

Error 1324: The path RSA Security contains an invalid character.

Removing the RSA related folders and registry settings mentioned in the previous blog post does not help. 

We found out that the service “RSA Authentication Agent Offline Local” still appear under Services although we have uninstalled the RSA agent which is of an older version.  The Status is blank although the Startup Type = Automatic.

Did a search for the registry key related to “RSA Authentication Agent Offline Local” and found the below registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OASVC_Local

We deleted the key and did a reboot of the Windows 2003 x86 server. After that, we re-install the RSA Agent again without any problem.

 

Mounting A USB Drive On RSA SecurID Appliance

We copied all the token seed files into a USB drive and we do not have access to the USB port of the Windows terminal which we used to manage the RSA SecurID Appliance.  In order to import the token seed files, we carried out the belowmentioned steps:

1.     Using a third-party utility such as PuTTY, open an SSH connection to the Primary Appliance.

2.     Login using the account emcsrv and key in the password when prompted.

3.     Change to root and key in the password when prompted:

            -bash-3.00$ sudo su –

4.     Plug the USB drive into one of the USB ports behind the Appliance.

5.     Key in the below command to check that the USB drive is listed:

            [root@kandti ~]# lsusb
            Bus 002 Device 004: ID 0a16:9005 Trek Technology (S) PTE. Ltd
            Bus 002 Device 003: ID 0424:2514 Standard Microsystems Corp.
            Bus 002 Device 002: ID 8087:0020
            Bus 002 Device 001: ID 1d6b:0002
            Bus 001 Device 002: ID 8087:0020
            Bus 001 Device 001: ID 1d6b:0002

The above information shows that the Appliance recognises one USB drive named “Trek Technology (S) PTE. Ltd”.

6.     Next, find out the device which is attached to the USB drive:

            [root@kandti ~]# dmesg | grep –i disk
            sd 0:0:0:0: [sda] Attached SCSI disk
            sd 4:0:0:0: [sdb] Attached SCSI removable disk
            sd 5:0:0:0: [sdb] Attached SCSI removable disk

From the output, the device is sdb.

7.     Navigate to the directory where the USB drive is to be mounted and mount it:

            [root@kandti ~]# cd /usr/tmp
            [root@kandti tmp]# mount –t vfat /dev/sdb tmp

8.     To confirm that the USB drive is mounted, key in the below command to display the files in the directory tmp:

            [root@kandti tmp]# ls –l

9.     Copy the required token seed files from the USB drive’s mount point to the desktop of the Windows terminal via WINSCP, a third-party utility.

10.   Unmount the USB drive by issuing the below command:

            [root@kandti var]# umount /dev/sdb

11.   Proceed to import the token seeds via Security Console.

Unable To Logon Using An Unchallenged Account After RSA Agent Upgraded

We upgraded the RSA agent for some of the Windows 2003 servers from version 6.1.3 to version 7.1.2. However, it was found out that we are not able to logon to the servers using an unchallenged account (i.e. an account which is not a member of the domain group where the members will be challenged). For those servers still using 6.1.3 agent, there is no issue when we logon using the same unchallenged account.

The below message will appears:

The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.

After some troubleshooting, it was found out that the logon problem happened due to AD name translation failure for the challenged group KANDTI\RSAUsers.

The below steps were carried out to ensure that the challenged group has the same sAMAccountName and Common Name:

1.     Logon to a domain controller and click Start > Administrative Tools > Active Directory Users and Computers.

2.     On the View menu, select Advanced Features.

3.     Search for the group KANDTI\RSAUsers, right-click the group and open the Properties dialog.

4.     Click on the Object tab and note down the Canonical name of object (i.e. kandti.com/Users/RSAUsers).

5.     Click OK and exit from Active Directory Users and Computers.

6.     Click Start > Run and type adsiedit.msc and click OK.

7.     Under ADSI EDIT, expand DC=kandti,DC=com.

8.     Select CN=Users and look for CN=RSAUsers.

9.     Right-click CN=RSAUsers and open the Properties dialog.

10.   Click on the Attribute Editor tab and scroll down the attributes list to find the sAMAccountName attribute.

11.   Make sure the Value for the sAMAccountName is the same as the CN (i.e. both sAMAccountName and CN should be RSAUsers).

We are able to logon successfully after making the necessary change to sAMAccountName.

Error 1324: The path RSA Security contains an invalid character (1)

When trying to uninstall the RSA agent on a Windows 2003 x86 server in order to upgrade the agent to version 6.1.3, we encountered the below error message:

Error 1324: The path RSA Security contains an invalid character.

As advised by RSA Support, the following steps were carried out:

1. Logon to the server using the local administrator account to remove the belowmentioned folders and registry settings:

File locations:

C:\Program Files\RSA Security\RSA Authentication Agent

C:\Program Files\Common Files\RSA Shared

Registry:

[HKEY_CLASSES_ROOT\rsaconf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rsaconf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls] - "RSASecurityCenter"="C:\\Program Files\\Common Files\\RSA Shared\\RSA Security Center\\SCACPL.cpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] - "RSANotificationIcon"="\"C:\\Program Files\\Common Files\\RSA Shared\\RSA Security Center\\RSANotificationIcon.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]- "UIService"="\"C:\\Program Files\\Common Files\\RSA Shared\\BackendUI\\UIService.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]- "C:\\Program Files\\RSA Security\\RSA Authentication Agent……….

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]- "C:\\Program Files\\Common Files\\RSA Shared……….

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] - "GinaDLL"="C:\\Program Files\\RSA Security\\RSA Authentication Agent\\AceGina.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]- "C:\\Program Files\\Common Files\\RSA Shared……….

[HKEY_LOCAL_MACHINE\SOFTWARE\RSA Security]

[HKEY_LOCAL_MACHINE\SOFTWARE\RSAACEAgents]

[HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT]

2. Reboot the server.

3. Proceed to install the RSA Authentication Agent version 6.1.3.

 

Accessing RSA SecurID's Security Console

Since we migrates the existing appliances to RSA SecurID Appliances 3.0, we have been accessing the Security Console via https://<ipaddress>:7004/console-ims. After logging on to the Security Console, we will be shown with the error message:

The server encountered an unexpected condition which prevented it from fulfilling the request.

The error will disappear after clicking on other tabs. The URL link will be redirected to FQDN after that (i.e. https://<FQDN>:7004/console-ims) and everything is back to normal.

This was escalated to RSA Support. We were informed that:

1. Neither IP address nor short-name is supported for Security Console’s access.

2. IP address is supported for Operations Console’s access though.

We tried accessing the Security Console via https://<FQDN>:7004/console-ims and the error message does not appear anymore.

Creating, Updating And Listing of Operations Console Administrator Accounts

By default, RSA SecurID has only 1 Operations Console Administrator account (i.e. rsaadmin) created. At times, there may be a need to have an additional Operations Console Administrator if there is a secondary RSA SecurID administrator or even third one.

In order to create the additional Operations Console Administrators, we will have to carry out the following steps via Putty (An open source telnet and SSH Client for the Windows and Unix platforms):

1. Login using the account emcsrv and key in the password when prompted.

2. Change to root and key in the password when prompted:

-bash-3.00$ sudo su

3. Change to rsaadmin:

[root@Primary/ ]# su rsaadmin

4. Navigate to the directory where the superadmin restoration utility resides to create the temporary superadmin account:

bash-3.00$ cd /usr/local/RSASecurity/RSAAuthenticationManager/utils

bash-3.00$ ./rsautil manage-oc-administrator –a create

[create] – create Operations Console Administrator account

Super Administrator’s name: rsaadmin

Enter Super Administrator’s Password: **********

Enter User Name: OCAdmin1

Enter User Password: **********

Confirm User Password: **********

User ‘OCAdmin1’ created successfully.

5. To change the password for the Operations Console Administrator created.

bash-3.00$ ./rsautil manage-oc-administrator –a update

[update] – change Operations Console Administrator account password

Enter User Name: OCAdmin1

Enter User Password: **********

Confirm User Password: **********

User ‘OCAdmin1’ updated successfully.

6. To list out all Operations Console Administrators.

bash-3.00$ ./rsautil manage-oc-administrator –a list

[list] – provide the list of items to be selling

Super Administrator’s name: rsaadmin

Enter Super Administrator’s Password: **********

Userlisting (./etc/systemfields.properties)

..

3) OcAdmin1                           Groups: Operations Console - Administrator

4) OcAdmin2                           Groups: Operations Console – Administrator    

..

8) rsaadmin                            Groups: Operations Console – Administrator