RSA SecurID Ready Implementation Guide - Emerson Community Site

RSA SecurID Ready Implementation Guide 

Partner Information 

Last Modified: August 14, 2006 

Product Information 

Partner Name Avocent Corporation 

Web Site www.Avocent.com 

Product Name DSView® 3 Management Software 

Version & Platform Version 3, Win32, RedHat Linux and Solaris 

Product Description DSView® 3 Management Software --- The one solution for securely 

managing every device in your data center – now with virtual media 

DSView 3 management software gives you complete connectivity and 

control. It extends the Avocent® patented KVM over IP centralized 

management system with a unique benefit in the KVM industry -- a hub and 

spoke architecture. This innovative system increases KVM switching 

manageability and security and gives data centers a fully redundant system 

with built-in backup/failover capabilities. 

Product Category Remote Access 

1

Solution Summary 

RSA SecurID Authentication provides an additional security measure for authenticating users logging into 

the DSView® 3 Management Software. User accounts in the DSView 3 Management Software can be 

associated with an RSA SecurID authentication service. When these users login to the DSView 3 

Management Software, they will be authenticated against an external RSA Authentication Manager using 

two-factor user authentication. 

Partner Integration Overview 

Authentication Methods Supported Native RSA SecurID Authentication 

List Library Version Used Library Version # 5.0.3 for Java 

RSA Authentication Manager Name Locking Yes 

RSA Authentication Manager Replica Support Full Replica Supported 

Secondary RADIUS Server Support N/A 

Location of Node Secret on Agent 

RSA Authentication Agent Host Type Net OS 

RSA SecurID User Specification Designated Users 

RSA SecurID Protection of Administrative Users Yes 

RSA Software Token and RSA SecurID 800 

A tomation 

Use of Cached Domain Credentials 

No 

No 

“\rsaconf” 

For Example “C:\Program Files\Avocent DSView 

3\rsaconf” 

The following diagram shows a typical DSView 3 system in which users connect to a DSView Server from 

a browser based client and access managed appliances and target devices. Users connecting to the 

DSView Server will be prompted for credentials. When a user is associated with an RSA SecurID 

authentication service, the DSView Server will communicate with the RSA Authentication Manager to 

authenticate the user. Once the user is authenticated; DSView will control the user’s access rights to the 

managed appliances and target devices. 

DSView 

Client 

RSA Authentication Manager 

TCP/IP 

LAN 

DSView 

Server 

Managed Appliance 

Cascade Device 

Target 

Devices 

2

Product Requirements 

The following table summarizes the minimum requirements for installing the DSView 3 Management 

Software on a dedicated hub server or spoke server 

Partner Product Requirements: Avocent DSView 3 Management Software 

CPU for supported Windows and Linux 2 GHz Pentium or equivalent processor 

Systems 

CPU for supported Solaris Systems 1GHz UltraSparc III 

1 GB RAM (additional memory may be needed, 

Memory 

depending on the number of plug-ins installed and 

appliances supported) 

Storage 1GB of free disk space 

Network 100BaseT NIC (1GB NIC/LAN recommended) 

Operating System 

Platform Required Patches 

Microsoft Windows 2000 Server Latest service pack 

Microsoft Windows 2000 Advanced Server Latest service pack 

Microsoft Windows Server 2003 Standard, 

Latest service pack 

Enterprise, or Web Edition 

Microsoft Windows XP Professional SP2 or later 

Red Hat Enterprise Linux Version 3 or 4 (AS,ES 

and WS products) 

Sun® Solaris SPARC 9 or 10 

Novell® SUSE Linux (x86) Enterprise Server 8 or 

9 

3

The following table summarizes the minimum requirements for client web browsers that will connect to a 

DSView 3 Management Software hub or spoke server. 

Partner Product Requirements: DSView 3 Management Software Clients 

CPU 1 GHz Pentium or equivalent processor 

Memory 512MB RAM 

Network 10 or 100BaseT NIC (100 recommended) 

Video XGA video with graphics accelerator 

Desktop Settings 800x600 with 256 colors 

Operating System 

Platform Required Patches 

Microsoft Windows 2000 Workstation or Server SP2 or later 

Windows XP Home Edition or Professional 

Microsoft Windows Server 2003 Standard, 

Enterprise, or Web Edition 

Red Hat Enterprise Linux 

(WS v3, AS v3, ES v3; kernel version 2.4.21) 

Sun® Solaris SPARC 9 or 10 

Novell® SUSE Linux (x86) Enterprise Server 8 or 

9 

Web Browsers 

Type Required Patches 

Internet Explorer 6.0 or later SP1 for version 6.0 

Mozilla version 1.7.3 or later 

Firefox version 1.0 or later 

Netscape version 7.2 or later 

On non-Windows clients the Video Viewer, Telnet, and VNC viewers require 

Java. The supported Java version is 1.5.0._02. The Telnet/SSH applet may 

work with other versions; the Video Viewer requires that version. 

On Windows clients,Java is required to run the Avocent Telnet/SSH Viewer. 

If the Win32 PuTTY Telnet/SSH Viewer is selected in the user’s profile, then 

Java is not required on the client. 

The DSView 3 Management Software will automatically download and 

install the Java JRE onto the client browser the fist time it is needed. 

4

Agent Host Configuration 

To facilitate communication between the DSView 3 Management Software and the RSA Authentication 

Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication 

Manager database for each DSView Server (hub and all spokes) in the SDView System for which RSA 

SecurID authentication is being added. The Agent Host record identifies the DSView Servers within its 

database and contains information about communication and encryption. 

To create the Agent Host record, you will need the following information. 

• Hostname 

• IP Addresses for all network interfaces 

When adding the Agent Host Record, you should configure each DSView 3 server as Net OS. This 

setting is used by the RSA Authentication Manager to determine how communication with the DSView 3 

Management Software will occur. 

Note: Hostnames within the RSA Authentication Manager / RSA SecurID 

Appliance must resolve to valid IP addresses on the local network. 

After creating the Agent Host records for each DSView Server, a configuration file must be created 

(typically known as the sdconf.rec file). This configuration file must be accessible to the DSView 3 

Management Software when adding an external RSA SecurID authentication service. 

Please refer to the appropriate RSA Security documentation for additional information about Creating, 

Modifying and Managing Agent Host records. 

5

Partner Authentication Agent Configuration 

Before You Begin 

This section provides instructions for integrating the partners’ product with RSA SecurID Authentication. 

This document is not intended to suggest optimum installations or configurations. 

It is assumed that the reader has both working knowledge of all products involved, and the ability to 

perform the tasks outlined in this section. Administrators should have access to the product 

documentation for all products in order to install the required components. 

All vendor products/components must be installed and working prior to the integration. Perform the 

necessary tests to confirm that this is true before proceeding. 

Documenting the Solution 

The following summarizes the steps required to setup and administer an RSA SecurID authentication 

service in the DSView 3 Management Software: 

1. Add an RSA SecurID external authentication service to the DSView 3 Management Software. 

2. Add users to the RSA SecurID authentication service. 

3. Log into the DSView 3 Management Software using an RSA user account. 

4. View the status and change the settings of the RSA SecurID authentication service in DSView. 

6

Add an RSA SecurID External Authentication Service 

1. Login to the DSView Hub Server and launch the Add Authentication Server Wizard as shown below. 

2. Enter a name for the service and select RSA SecurID for the Type. 

7

3. Select the configuration file that was created by the RSA Authentication Manager. 

The sdconf.rec file that is uploaded by the Add Authentication Service 

Wizard will automatically be distributed to all the DSView Servers. Each 

DSView Server will use the sdconf.rec file to communicate with the RSA 

Authentication Manager. For some customer configurations, each DSView 

Server may require a different configuration and thus a different sdconf.rec 

configuration file. For some installations an advanced option file may also 

be required for manual load balancing called sdopts.rec. The Add 

Authentication Service Wizard will not allow this advanced level of 

configuration to be done. The advance configuration can be setup using 

the RSA SecurID Authentication Service Connection Settings page shown 

in the following section. See the RSA Authentication Manager 

Administrator Guide for details on the sdconf.rec and sdopts.rec files. 

8

4. The DSView 3 Management Software will use the sdconf.rec file to communicate with the RSA 

Authentication Manager. Upon successful completion the following page will appear. 

By default, the RSA Authentication Manger software is configured to 

automatically create the node secret for new agent hosts (of which DSView 

is one). The node secret is not created on the DSView Server until the first 

RSA user logs into DSView. Therefore after adding a RSA SecurID service, 

the administrator should login to DSView so that the node secret will be 

created. To maximize protection against attacks this should be done 

locally on the DSView Server. See the “RSA Authentication Manger 6.0 

Administrator Guide section “RSA Node Secret File Best Practices for 

Automatic Delivery” for details. 

Only a single RSA SecurID authentication service can be added to the 

DSView 3 Management Software. The Add Authentication Service Wizard 

will report an error if an RSA SecurID authentication service already exists. 

After an RSA SecurID authentication service is deleted from the DSView 3 

Management Software, the DSView 3 Management Software must be 

restarted before the service can be added again. The Add Authentication 

Service Wizard will report an error if the DSView 3 Management Software 

needs to be restarted. 

DSView also allows for manual delivery of node secret files. After an RSA 

Service is added to DSView, the RSA administrator may copy the node 

secret file to the rsaconf directory of the DSView sever (e.g. C:\Program 

Files\Avocent DSView 3\rsaconf). This directory is created when an RSA 

SecurID service is added to DSView. The node secret filename must be 

securid. 

9

Add Users to the RSA Authentication Service 

1. Login to the DSView Hub Server and launch the Add User Wizard as shown below. 

2. Select the RSA SecurID authentication service that was previously added. 

10

3. Enter the name of the user. 

4. Assign the user to a user group. 

11

5. Assign the preemption level for the user. 

6. The next page completes the wizard and adds the new user. Repeat the execution of the wizard for each 

RSA SecurID user to be added. 

12

Logging into DSView 3 with an RSA SecurID User Account 

1. After an RSA SecurID authentication service has been added to DSView, the login page in DSView will 

change to show the RSA SecurID logo. 

The following picture shows the login page prior to adding an RSA SecurID authentication service. 

The following picture shows the login page after adding an RSA SecurID authentication service. 

The Password field is renamed to Passcode. All users will see this login 

page once an RSA SecurID authentication service has been added to 

DSView 3. 

13

When an RSA SecurID authenticator is first assigned to a user, a PIN is not yet associated with it. If the 

“PIN-Less” token functionality is not utilized on the RSA Authentication Manager, the RSA SecurID 

authenticator cannot be used for authenticating until its assigned user performs the New PIN operation. 

Alternatively, an RSA Authentication Manager administrator can put an authenticator into New PIN mode 

at any time. 

When an RSA SecurID authenticator is in New PIN mode, it cannot be used for authenticating until its 

assigned user performs the New PIN operation unless “PIN-Less” token functionality is utilized on the 

Authentication Manager. During the New PIN operation, the RSA Authentication Manager will either 

assign a PIN to the user or allow the user to specify a PIN that he or she will use. Which options are 

displayed to the user who initiates a New PIN operation depends on how the RSA Authentication 

Manager is configured. 

The RSA Authentication Manager Software allows the following PIN options 

• User-Selectable PIN – User can choose to enter a PIN or allow the RSA server to generate it 

• User-Defined PIN – The user is only allowed to enter a PIN. 

• System Generated PIN – The user cannot enter a PIN; the PIN will be generated. 

For detailed information on setting this parameter see the RSA Authentication Manager Administrators 

guide. 

The following sections show examples of the pages that will appear in the DSView 3 Management 

Software when an RSA user logs in and the authenticator is in New PIN mode. 

New PIN Required Page 

The following page appears when an RSA SecurID user attempts to login to DSView 3 and the 

authenticator is in the New PIN mode. What the user is allowed to choose on this page is dependent 

upon how the authenticator is configured in the RSA Authentication Manager. 

14

Memorize PIN Warning Page 

If RSA SecurID will generate the PIN, the following page will appear after the user selects OK on the New 

PIN Required page. 

Memorize PIN Page 

Choosing Yes at the Memorize PIN Warning page will cause the following page to appear showing the 

PIN generated by RSA SecurID. 

15

New PIN Accepted 

The following page will appear after selecting OK on the Memorize PIN page or automatically after ten 

seconds. If the user entered their own PIN, this page will appear immediately after the user selects OK on 

the New PIN Required page. 

Next Tokencode Required Page 

When an authenticator is in Next Tokencode mode and it is used in a login attempt, the user is required to 

input a second successive Tokencode from the RSA SecurID token. See the RSA Authentication 

Manager Administrator Guide for details on Next Tokencode mode. 

The following picture shows the Next Tokencode Required page. 

16

Unsuccessful Login 

The login page will display an error when the user fails to login as shown in the following picture. 

Viewing the Status of the RSA SecurID Authentication Service 

The status of the RSA SecurID authentication service can be viewed in the DSView 3 Management 

Software. 

The following picture shows the Authentication Service Connection Settings page. The status is shown for 

each DSView Server in the system. 

17

Changing the Settings of the RSA SecurID Authentication Service 

Choosing one or more DSView Servers in the list then selecting the Clear Node Secret button will clear 

the node secret on the selected servers. 

Choosing one or more DSView Servers in the list then selecting the Update button will allow the 

configuration files to be updated on the selected DSView Servers. The following picture shows the 

Update RSA Configuration page that allows the sdconf.rec and sdopts.rec files to be updated. 

When the Update button is selected the configuration files will be uploaded to the selected DSView 

Servers. 

The configuration files are updated on the selected DSView Servers, but 

will not be activated until the selected DSView Servers are restarted. 

18

Certification Checklist 

Date Tested: August, 7, 2006 

Product Name 

Certification Environment 

Version Information Operating System 

RSA Authentication Manager 6.1 Windows 2000 Server 

DSView® 3 Management 

Software 

DSView 3 software version 3.3 Windows 2000 Advanced Server 

Mandatory Functionality 

RSA Native Protocol RADIUS Protocol 

New PIN Mode 

Force Authentication After New PIN Force Authentication After New PIN N/A 

System Generated PIN System Generated PIN N/A 

User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A 

User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A 

User Selectable User Selectable N/A 

Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A 

Deny Alphanumeric PIN Deny Alphanumeric PIN N/A 

PASSCODE 

16 Digit PASSCODE 16 Digit PASSCODE N/A 

4 Digit Password 4 Digit Password N/A 

Next Tokencode Mode 

Next Tokencode Mode Next Tokencode Mode N/A 

Load Balancing / Reliability Testing 

Failover (3-10 Replicas) Failover N/A 

Name Locking Enabled Name Locking Enabled 

No RSA Authentication Manager No RSA Authentication Manager N/A 

Additional Functionality 

RSA Software Token Automation 

System Generated PIN N/A System Generated PIN N/A 

User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A 

User Selectable N/A User Selectable N/A 


RSA SecurID 800 Token Automation 

N/A Next Tokencode Mode N/A 

System Generated PIN N/A System Generated PIN N/A 

User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A 

User Selectable N/A User Selectable N/A 


Domain Credential Functionality 

N/A Next Tokencode Mode N/A 

Determine Cached Credential State N/A Determine Cached Credential State 

Set Domain Credential N/A Set Domain Credential 

Retrieve Domain Credential N/A Retrieve Domain Credential 

SWA / PAR = Pass = Fail N/A = Non-Available Function 

19

RSA SecurID Ready Implementation Guide - Emerson Community Site

Create successful ePaper yourself

Delete template?

Save as template?