I’ve been struggling for a few months to find the answers to all of life’s questions… err.. I mean how to integrate an RSA SecurID soft-token with the VMware View iPad Client.
- PCI Compliance requires multi-factor authentication for remote access to your cardholder data environment. It’s also a good security practice if you use remote access.
- RSA SecurID is the most widely used form of multi-factor authentication, but there are certainly other options (Note: View only supports integration with RSA or RADIUS at this time).
- Users do not have to carry around a physical RSA keyfob.
- Users do not have to pull up the RSA app on their mobile device and remember the 8-digit token then fly over to the vmware view app and type in that code all within the 60- (or 30-) second window. That’s a little much for some folks to handle.
- RSA Server 7.1 SP4 (This is what I tested against)
- View 5.1 with RSA enabled
- VMware View iPad App
- Access to your RSA server’s admin page or be able to get the specific type of token from your RSA administrator in your organization.
One point of clarification:
What is the difference between PIN, tokencode and PASSCODE?
The terminology can be very confusing. With two-factor authentication there are two components that a user needs in order to authenticate. The two factors are “something the user has – RSA Token which displays a tokencode” and “something the user knows – PIN”. The PASSCODE is a combination of the user’s PIN followed by the tokencode. For example, if your PIN is abc1234 and the current tokencode is 987654, your PASSCODE is abc1234987654.
There are several broad steps in the beginning and I will be focusing this post on the last few steps — but — I have included all of the steps to make sure you’re doing everything that needs to be done with info on how to do it.
1. Setup VMware View 5.1, a security server, and a connection server. You should be able to access your view environment from outside your corporate network.
2. Setup RSA Server 7.1 SP4. Or have your RSA admin upgrade you to this version. Make sure this is integrated into your Active Directory environment to sync up beautifully with View. *Tip: Make sure your RSA server’s computer name is all lowercase and never ever change the name. Strange things happen if you do. *
Here are some other things you have to do but I will not be providing detailed instructions in this post:
Setup your internal view connection server (paired with security server) as an “authentication agent” in RSA.
Download the SDCONF.REC file from your RSA server.
Configure your View Connection Server to force RSA authentication before Active Directory authentication. Once you’re ready to force users to use RSA (After training, and token setup, of course), you need to follow the instructions from the VMware View documentation, found here.
3. Install the iPhone software token device type. Go here and download the documentation and device definition file. You or your RSA admin will need to install the iPhone device type into the RSA console.
4. Assign a software token to a user. Instructions are on page 39 of the admin guide, “Provisioning File-Based Tokens”.
5. Edit the user’s token issue the token.
- Go to Authentication > SecurID Tokens > Manage Existing.
- Find the new user’s token, press the down arrow beside it and press edit.
- Start and follow the steps beginning on page 40 of the admin guide, “Provisioning File-Based Tokens”.
Some settings of note (the instructions refer you back to Steps 1-4 of thee previous section, so check these settings):
- Pages 35-36 – If you want to restrict delivery of the token to ONE Device, then follow those instructions to retrieve the info from the user’s RSA app, replace the GUID serial number field, then issue the token. BE WARNED: This will BIND your token to that device. If a user changes devices, then you will need to issue a new token. This is also a 1-to-1 bind. This means one software token license equals one device token. In my use case, I am NOT binding tokens to devices and the user can use the same token in their View iPad app, on their iPad RSA app, and on their iPhone/Droid RSA app.
- Press “Save and Distribute Token.”
- Choose Distribution Method: “Issue Token File SDTID”.
- Page 37 – follow the suggestions in the graphic for “software token settings.”
- Turn back to page 40, picking up at step 3. Give your token a password (required to install the token on their device – a 4 digit pin is ok, for example 5672).
- Press Next to issue the token file and download the zip file. Extract it and get ready to use.
5. Setup the Token Converter tool. Download the software token converter tool from RSA’s website here. Setup a converter folder on your computer and put the “TokenConverter.exe” and “sdti2tsf.dll” files in this folder (like C:\Temp). Drop all of the downloaded and extracted SDTID files (from step 4) into the folder as well. You can identify them by the file name … should be “username_0000135562626.sdtid” (where the numbers are the token ID.
6. Convert the SDTID files into the iPhone software token format.
- With your token converter files and the .SDTID files in one directory, open up a command prompt and navigate to that directory.
- The command to execute is below. The NAMEtokenfile.txt is the output file (Name it whatever you like). The output file consists of the “url” that you will send to each user via email, so you probably want to make the file name user specific as to not get confused. The underlined portion is that specific SDTID file you want to convert. 5672 is the example password on the token that you or your admin put on the token file.
- TokenConverter.exe username_0000135562626.sdtid -p 5672 -mobile -o NAMEtokenfile.txt
7. Send the token code to your user(s). Open up your NAMEtokenfile.txt file(s) and copy the “url” out of the file and e-mail that to your user(s). The URL is going to look something like this (I’ve changed the numbers so you can’t steal my token): com.rsa.securid://ctf?ctfData=202222222222222222222222222222222222222222222222222222222222222222722
8. Users should setup their RSA Accounts on your network. You can make the RSA Server public through your DMZ but that’s really not necessary for this purpose. But you can. In the same e-mail, direct your users to the link below. They should click that link. Login with their WINDOWS active directory username and password. Then they will setup their PIN code and security questions.
9. Install the token into the RSA app on your iPhone/iPad.
- Users should have the iPhone/iPad apps installed on their devices already (from the iTunes App store).
- Then they should open up their e-mail and click on the link you just sent them.
- This will open up the app and ask for the password (5672 in my example).
- It might also ask for the PIN code that they setup in the step above.
10. Install the token into your VMware View Client iPad app on your iPhone/iPad only after your connection server is RSA enabled.
*Note: Remember that if in step 5, you chose to bind the token to a specific device, that you must use one token per app. You cannot use the token for both #9 and #10.*
- Users should already have the VMware View iPad app installed, available for free from the iTunes App store.
- Copy the URL from the email (The whole text) to the iPad/iPhone clipboard.
- Open the View Client app.
- Go into your view connection server – click “external token”
- Token Description: call it whatever you want (plain text)
- URL: paste the complete URL from the e-mail (output of the NAMEtokenfile.txt)
- Password: if you put a password on the token (which you should have), then type that in (my example was 5672).
Your login screen on your iPad now looks like this (click to enlarge):
And if you press “token code available..” you get the next screen where you can actually authenticate using an external token (if someone else needs to login with their credentials on your iPad/iPhone) (click to enlarge):
So once you have everything setup, you/your user clicks the View connection server in the app. They enter their windows username and their RSA PIN (since the token is stored), then press done. (it authenticates to RSA). Then you/your user logs in with the windows username and password.
And BAM – your user’s lives are easier while at the same time securing your critical data and being PCI Compliant!
This blog was originally posted on http://www.egroup-us.com/?p=7766. Same Author. Different Site.