Common Security Domain Administrator Tasks

• Security Console Login
• User Management
• Searching/Listing Users
• Common Options
• Edit a User
• Token Management
• Viewing Tokens
• Assigning Tokens
• Disabling Tokens
• Replacing Tokens
• PIN Management
• Emergency Access Tokens
• Agent Provisioning

This documents is intended as a quick-reference guide to performing basic security domain administrator tasks. It is not meant to replace the official RSA SecurID Authentication Manager Administrator's Guide.

There may be multiple paths to a given configuration screen or ways to perform a given action. This document only shows one of them.

Recommended Reading

Security Domain Administrators's Guide [Abridged]

An abridged version of RSA's Authenticaiton Manager Administrator's Guide containing just the sections relevant to security domain administrators.

---

Security Console Login

The ITS SecurID implementation consists of two machines: a primary, and a replica. Rsa-1, the primary, contains the read/write copy of the SecurID database while rsa-2 serves a read-only replicated copy of the primary's database.
Agents and administrators may perform authentications and database modifications through either machine, but if rsa-1 is unavailable no write actions may be performed.

Login to the SecurID Security Console using one of the following URLs:
   https://rsa-1.iastate.edu:7004/console-ims
   https://rsa-2.iastate.edu:7004/console-ims

After entering your SecurID User ID (typically the same as your NetID), you will need to select the authentication method of Passcode if it's not already the default:

You will then be prompted to enter your SecurID Passcode:

---

User Management

Searching/Listing Users

Before a user can be managed by a security domain administrator, they must be placed in the appropriate security domain by a server administrator. Requests to place NetIDs into a security domain must be sent to sidroot@iastate.edu.

Currently, it is recommended that only users who will be assigned tokens be assigned to a security domain rather than assigning an entire department at once. This will cut down on the number of cruft entries in the database.

Once users are added to a security domain, you can list all the users in your security domain or search for a specific user.

The first step to user management is to select "Users -> Manage Existing" from the Identity tab:

To list users in your security domain, ensure the Search criterion are the same as the example above and use a blank search query:

1. Leave the Search box blank.
2. Click the Search button.

Note the icons next to the User IDs. The green icons represent normal users while the blue icons with shields denote security domain admins for this particular security domain scope.

To search for a specific User ID

1. Enter the User ID in the Search box.
2. Click the Search button.

Search results will contain he following fields shown in the example below:

User ID

The User ID. Icon to the left of the User ID will denote whether the User ID is a normal user (green) or a security domain administrator (blue with gold shield).

Last, First Name

Obvious.

Disabled

When checked, the user account is disabled and the user cannot authenticate.

Locked

When checked, the user account is locked by the lockout policy or the self-service troubleshooting Policy for this security domain. Locked users cannot authenticate.

Security Domain

This user is managed by administrators whose administrative scope includes the selected security domain.

Identity Source

The identity source is the data store where this user is saved.
The ITS SecurID servers use Active Directory (ISU AD) as a read-only data source. Except in rare cases, this value will be "ISU AD".

Common Options

After the search results are displayed, you can display a list of common management actions by:

1. Check the box to the left of the User ID you want to perform an action on.
2. Click the drop-down arrow to the left of the "Go" button. Select the action you wish to apply to the selected User ID(s).
   Other actions are available from the Edit User page.
3. Click the "Go" button.

Unlock Account

Unlocks an account. Locked accounts cannot authenticate. Accounts are automatically locked out when they violate the lockout policy or the self-service troubleshooting policy for this security domain.

Enable/Disable Account

Enable/Disable authentication for this account.

Assign SecurID Tokens...

Assign a SecurID Token to this account.

To summarize, the difference between locked and disabled accounts:

Accounts can only be locked by the SecurID server in response a lockout or self-service troubleshooting policy violation.

Accounts can only be disabled by a security domain administrator.

Edit a User

To Edit the full user record, first click the down arrow to the right of the User ID:

to see the following menu:

Select Edit as shown.

The fields in the pink box cannot be modified if the Identity Source is ISU AD (and unless you're especially privileged it always will be) while values in the green boxes may be modified.

Security Domain

Move the User ID to the selected security domain.
Unless you're a help desk administrator or have been granted security domain administrative privileges in multiple domains there will be only one Security Domain listed here.

Account Starts/Expires

Sets the account Start and End dates. This isn't generally used.

Account Status

If checked, the account has been locked out manually by a security domain administrator. Uncheck to enable this account.

Locked Status

If checked, the SecurID server has locked out this account in response to either a logout policy violation, a self-service troubleshooting policy violation, or both. Uncheck these to unlock the account.

Security Questions

Using the self-service console, users can set security questions. Checking these options will clear these security questions and they will be prompted to set them again the next time they login to the self-service console.
NOTE: since the self-service console is not enabled on the ITS SecurID server, no security questions can be set.

Be sure to click the Save button to apply any changes.

---

Token Management

Before tokens can be managed, they must be assigned to your security domain.

• If you are obtaining tokens from ITS, send a token allocation request to sidroot@iastate.edu with the number and type (hardware/software) of tokens you need and the security domain they should be assigned to. Only requests from Security Domains will be honored.

• If you have purchased your own tokens for use with the ITS SecurID Service, the license and seed files must be imported into the SecurID Server. Security domain admins may be able to do this themselves, but this has not been tested. If all else fails, the SecurID server administrators can import the license and seed files for you. Please contact sidroot@iastate.edu for assistance.
  DO NOT EMAIL THE TOKEN LICENSE OR SEED FILES TO THE SECURID SERVER ADMINS!

Viewing Tokens

To view tokens in your security domain, select from the menu tabs: Authentication -> SecurID Tokens -> Manage Existing.

Tokens are divided into two groups: assigned and unassigned. Assigned tokens are tokens that have been assigned/allocated to a particular User ID and unassigned tokens have not.

Note: a User ID can be assigned multiple tokens, but multiple User IDs cannot be assigned to a single token.

You can limit the number of results displayed by performing a search using the criterion in the left column of the results list. To display Unassigned tokens, click the Unassigned tab.

The following fields are shown for each token:

Serial Number

The token's unique serial number. This value is found on the back of hardware tokens and in the information pane of a software token.

Token Type

Software for software-based tokens. Hardware-based tokens will show he model number of the token such as SID800.

Algorithm

Typically this will read AES-TIME meaning that the value genrated by the token changes periodically based on the passage of time. You probably don't need to care about this.

Assigned To

The User ID the token is assigned to.

Disabled

A checkbox will appear here if the token is disabled. Disabled tokens cannot be used to authenticate.

Enabled for Emergency Online Acces

This token is enabled to authenticate with a PIN and Emergency Access Tokencode. This is most often used when users have misplaced or lost their token and need an emergency tokencode to allow them to authenticate.

Requires Passcode

If checked, a Passcode consisting of a PIN + tokencode is required to authenticate. If unchecked, only the tokencode is required.

Tokencode only authentication is NOT recomended.

Pending Replacement By Token

When Replace with Next Available SecurID Token is chosen, this field shows the token serial number of the replacement token.

You likely don't want to use the Replace with Next Available SecurID Token option. See Replacing Tokens for more information.

Will Replace Token.

When Replace with Next Available SecurID Token is chosen, this field shows the token serial number of the token that was replaced.

You likely don't want to use the Replace with Next Available SecurID Token option. See Replacing Tokens for more information.

CT-KIP Capable

Software tokens only. Token seed can be initialized over the network rather than generating and sending a seed file (more information below under Software Tokens).

Last Used To Authenticate

Date and time of the last authentication using this token.

Expires On

The date and time the token license expires and the token is no longer usable for authentication.

Security Domain

The security domain the token currently resides in.

Notes

A free-form field for notations.

---

Assigning Tokens

After Searching/Listing the User ID you wish to assign a token to, click the down arrow to the right of the User ID.

Select one of the following options:

SecurID Tokens

Lists the tokens assigned to the User ID. Various token related actions can be performed from this screen and tokens can then be assigned using the Assign Token button.

Assign More...

A short-cut to the Assign Token screen.

A list of unassigned tokens will appear.

1. Select the token to be assigned, noting the token type.
• SID800: hardware token.
• Software: any software-based token generator (iOS, Android, etc.).
2. Click the Assign button.

Hardware tokens are now ready to be used.
Software tokens require an additional distribution procedure before they can be utilized.

Distributing Software Tokens

Unlike hardware tokens, software tokens need to be configured before they can be used. The procedure for distributing this configuration file varies depending on the type of software token, user requirements/preferences, and preferred method of distribution. Administrator guides detailing provisioning procedures for various soft tokens/software authenticators can be found at: https://www.sitelicensed.iastate.edu/software/securid/SoftwareAuthenticators/.

As a general rule, it is recommended that STDID files be password protected. Passwords should be communicated through an alternate channel (in-person, phone) and not via email or SMS.

Disabling Tokens

1. List a user's tokens by following the procedure under Assigning Tokens and select SecurID Tokens.
2. Click on the down arrow to the right of the token serial number you wish to modify and select Edit.

(Distributed software tokens will have additional token status information.)

Check the Token is disabled box and then the Update button at the bottom to commit the changes.

Replacing Tokens

Replacing a user's token involves two basic steps:

• Disabling the old token.
• Assigning a replacement token.

The order in which you perform these steps depends on the situation. If the user's token is lost/stolen then you will want to disable the token immediately before assigning a new one. If the user is transitioning from one token type to another then you will want to assign them the new token, ensure that it works for them, and then disable the old token.

NOTE: you may notice the "Replace with Next Available SecurID Token" option, which will select the next available (unassigned) token and assign it to the User ID. This option is not desirable for the following reasons:

• It does not take the token type into account when selecting the next available token. If your user currently has a hardware token and the next available token is for a software token, the software token will be assigned to replace the hardware token. By performing the assignment manually the security domain administrator can ensure that the proper token type is assigned.
• Depending on how many unassigned hard tokens you have laying around, it may be easier to grab one at random and assign it rather then try and find a specifc token out of many.

PIN Management

1. List a user's tokens by following the procedure under Assigning Tokens and select SecurID Tokens.
2. Click on the down arrow to the right of the token serial number you wish to modify and select Edit.

User Authentication Requirement

Require PIN during authentication is highly recommended; tokencode only is discouraged.

SecurID PIN Set

Shows whether a PIN has been set and, optionally, allows the administrator to clear the PIN. If a PIN is required for authentication, the user will be prompted to set a PIN after the next successful authentication where they will only enter their tokencode.

Force SecurID PIN Change

Requires that the PIN for this token be changed after the next successful authentication, but does not clear the current PIN.

Emergency Access Tokens

In circumstances where the user has forgotten their token (not lost! -- lost tokens should be disabled) or the token has become physically damaged and a new one can not be physically issued, temporary access tokens can be generated.

Tokens can be generated for online and/or offline access.

Online Access

The authenticating agent has network connectivity and is able to authenticate against the SecurID servers.

Offline Access

The authenticating agent does not have network connectivity or is unable to authenticate against the SecurID servers.

---

First, a word of caution. You may discover that if you hit the drop down arrow to the right of a User ID there's an option called Manage Emergency Offline Access. This will display the following message: There are two important things to note about this message: This message is referring to Passcodes, not Token codes. Global policy currently prohibits the creation of emergency Passcodes. By only allowing the creation of Token codes, the user will still need to know and provide their PIN during authentication. The message "Emergency Offline Access is not enabled for this user" at best referrs to the use of Offline Access Passcodes and not Emergency Offline Access in general. This option and screen above should be ignored.

---

To manage Emergency Offline Access:

1. Display the token which you wish to manage.
2. Click the down arrow to the right of the serial number and select Manage Emergency Access Tokencodes....

This screen will look differently if Online Emergency Access was previously enabled or if Offline Emergency Access data has been downloaded by an agent.

If Online Emergency Access is enabled, a pane like the following will be shown:

Type of Emergency Access Tokencode(s)

A Temporary Fixed Tokencode can be used repeatedly until it expires.

A Set of Time Time Tokencodes cannot be reused. If Set of One Time Tokencodes is selected, these additional options are displayed:

Manage Tokencodes

Checking this box will clear all unused tokencodes.

Generate New/Additional Tokencodes

Required. Generates the specified number of tokencodes. Be sure to click Save at the bottom of the screen!

One Time Tokencodes

The generated tokencodes. Distribute with care!

Online Emergency Access Tokencode

The tokencode that temporarily replaces the hard or soft tokencode. Can be used repeatedly.

Emergency Access Tokencode Lifetime

Sets an optional expiration date on the Tokencode. Ideally this should be as short of a time as possible.

If Token Becomes Available

What to do with the emergency access tokencode(s) once the user has authenticated with non-emergency tokencode.

Last Used to Authenticate

The date/time the emergency access tokencode was used.

If a user has authenticated from an agent that can utilize offline data (such as the Windows agent) and that agent has downloaded offline data which has not expired, then the following screen will be shown:

Offline Emergency Access Tokencode

The tokencode that replaces the code on the hard/soft token. Ensure that this is communicated to the user in-person, over the phone and NOT via e-mail or SMS.

Expires on

When the tokencode expires.

Reset Offline Emergency Acces Tokencode

If you have reason to believe that the current tokencode has been compromised, checking the box (and saving!) will generate a new Offline Emergency Access Tokencode the next time the user authenticates online.

Allow for Online Access

Use the current Offline Emergency Access tokencode as an Online Temporary Fixed Tokencode. Note: must enable Online Emergency Access and select Temporary Fixed Tokencode before seeing that the code has been copied.

---

Agent Provisioning

Before installing the agent software, an agent record must be created on the security console.

It is important that an agent record be created prior to a client's first attempt to authenticate against the SecurID servers. If an unregistered agent (client) attempts to authenticate an entry will be automatically created for the agent, but in the default SystemDomain which only the SecurID server admins may access. You will not be able to manage this entry until you have contacted the SecurID Server admins (sidroot@iastate.edu) and requested that the agent record be moved to the proper security domain.

If the Agent is NOT using RADIUS: Access --> Authentication Agents --> Add New

Administrative Control

Security Domain

Unless you have control over multiple domains there will be only one choice for Security Domains.

Authentication Agent Basics

Hostname/IP Address

Enter either the Hostname and click Resolve IP or enter the IP Address and click Resolve Hostname.

Protect IP Address

Leave this checked.

Alternate IP Addresses

If this Agent is on a multi-homed machine you may need to enter the other IPv4 addresses here.

Notes

A free-form field for notations.

Authentication Agent Attributes

Agent Type

Typically this will be Standard Agent unless the Web Agent is being used.

Disabled

Check this to disable the agent. Disabled agents cannot authenticate.

Agent May be Access by

Only All users is currently supported.

Authentication Manager Contact List

Set to Automatically assign automatic contact list from instance that responds first unless specifically instructed.

Trusted Realm Settings

Not currently implemented.

Click Save.

If the Agent is using RADIUS, send a message to the SecurID Server Administrators (sidroot@iastate.edu) with the following information:

• Clent Hostname
• Client IP Address (v4 only)
• Security Domain
• Requestor name/phone

RADIUS uses a shared secret to encrypt and decrypt password information between the RADIUS server and clients. This shared secret will be generated by the SecurID Server Administrators and communicated to the requestor in-person or by phone/voicemail. In addition, an agent record will be created for the client.

RADIUS requests must be made by security domain administrators only.