RSA SecurID Appliance

Setup & Administration

Michal ČervinkaSOFT-TRONIK, a.s.michal.cervinka@soft-tronik.cz

More about HW

• Intel Pentium 4 Celeron 2.53 GHz Processor.

• Intel 865G + ICH5 Chipset

• Intel 2x 1Gigabit & 2x 10/100 Ethernet Controller

• 512MB DDR400 Memory Module (Support Memory up to 4GB.)

• 1x3.5" SATAII 80GB HDD

• 1 X Keyboard Port, 1 X VGA Port

• 3 X USB 2.0 interface (you can use USB memory dev.)

• 3 X Cooling FAN (2 - System / 1 - Power Supply)

• Power Supply 350W, Cons. 160W

• 1U Rack Mount Form Factor

More about SW

• Hardened Windows 2003 Server Standard Edition

• RSA Authentication Manager 6.1

• RSA Authentication Agent 6.1 for Windows (local auth.)

• RSA Authentication Agent 5.6 for IIS

• Web Administration Application

• RSA Radius Server 6.1

• SNMP Agent Plug-in

Initial Setup

• appliance address displayed on LCD, address your laptop and connect to https://192.168.100.100:8098

• user name administrator and the temporary password [RSAAppliance] (including the brackets)

• choose primary / replica setup

• go through the QuickSetup wizzard— set date and time

— change administrator password

— hostname, domainname, IP settings

— provide license

— import token records

— assign token to administrator and test

— enable authentication and finish

Understanding Admin Accounts

• Administrator – standard admin, always requires token, consumes a license

• AdminWebUser – internal (web server) use, don’t change

• rsaLocalAdmin – emergency access only

• Create more …

Basic Appliance Administration

• simple, intuitive web-based administration interface (https://<appliance>:8098)

• “Administrator” – instant standard admin account

• Token authentication is a “must”

Advanced Appliance Administration

• Windows Server administration via RDP over SSL

• Traditional Authentication Manager admin tools via RDP over SSL

• Traditional AM remote console

Emergency Access

1. turn-off

2. connect keyboard+monitor

3. turn-on

4. Login as rsaLocalAdmin

5. run db-admin

Resetting to Factory Defaults

1. turn off

2. turn on

3. on the first beep turn the dial clockwise

• You will loose all the upgrades and optional installations

Backup

• Online-backup script: c:\authmgr\scripts\rotatebackup.bat

• Creates MS .cab file

• By default runs once a week (windows scheduler)

• Accessible at https://<appliance>:8098/admin/ACE/backup_dwnld.asp

Restore

• Copy .cab to the appliance and unpack

• Stop AM services

• Create empty databases (run sdnewdb.exe)

• Load databases (server and log)

• Owerwrite sdconf.rec

• Create windows admin account if needed

• Restart the appliance

Patches and Upgrades

• OS

• AM components

— Download the upgrade bundle, extract

— Run setup

— Reboot if needed

Monitoring

• E-mail Alerts (Event Log)

• SNMP Traps

— Authentication Manager

— Authentication Agent

— Radius

• Scheduled restart