Using CA PAM with RSA

Document ID : KB000009898
Last Modified Date : 14/02/2018
Show Technical Document Details

Setting up CA PAM to use RSA authentication requires several steps.  The basics are that you must configure the RSA server, with a token related to a user, and then configuring CA PAM to use RSA authentication.  If a soft token is being used there will an extra steps of distributing the token profile and importing it into the token software.


Start with the RSA server.  You will have to get the information about your tokens into the RSA server.  This document will assume you, or the RSA Server Admin, know how to do this.  Once you have done this you will have to create a user and associate it with a token.  You will notice that the Pin is not set.  It will be set during the user's first login to CA PAM.RSA_PinNotSet.JPG


You have to create an Authentication Agent entry for the system on which users will be logging in with RSA Authentication.  You will have to use the Generate Configuration file to create the sdconf.rec file which will have to be uploaded into CA PAM.RSA_AuthenticationAgents.jpg



The sdconf.rec that you downloaded will be used when you configure RSA on the 3rd Party page.  After you upload the file into CA PAM you will be prompted to clear the Node Secret.



The node secret may have to be cleared on the RSA server as well.RSA_ClearNodeSecret.JPG


You will also have to create and download a profile.  This profile will have to be uploaded into the token software.  Be aware that the token software has an option that affects how the token is displayed.  The default is to display the token with the pin included.  Make sure to select the "Pin followed by token" Authentication Type, to have the soft token behave like a token fob.RSA_TokenProfile.JPG


Once you've created your profile use Distribute to synchronize the soft token with the RSA server.  In this case the token was distributed using the Web option.  In the token software the Import from Web option was performed.RSA_TokenDistribute2.JPG


Before you can login you must create a user in CA PAM that corresponds to the user you created in the RSA Server.  You must enter the password and confirmation, but it won't be used.  Make sure to set the Authentication to RSA.RSA_PAMuser.JPG


You are now ready to login using RSA.  Use the token software with no pin set to generate the token.  Paste this in to the Passcode field, with no pin.  You will be prompted to enter your pin.



After you enter the pin you will receive a prompt to wait for the token to change and enter the full passcode.  In your token software set the new pin and display the token.  Submit this and you will be logged in.  At this point you will see in the RSA server that the pin is set.  In subsequent logins you will not be prompted for anything else after entering the pin+token, unless something changes within the RSA server.  For example, the RSA admin could require that the pin be changed.

This completes this topic.  The topic of configuring LDAP+RSA will be covered in another document.