0% found this document useful (0 votes)

42 views52 pages

PAMAgent Oracle RHEL

Uploaded by

ferdinand.escolar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

42 views52 pages

PAMAgent Oracle RHEL

Uploaded by

ferdinand.escolar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 52

RSA® Authentication Agent 8.

1 for PAM
Installation and Configuration Guide for Oracle and RHEL

Revision 10
Contact Information

RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and
provides solutions to known problems, product documentation, community discussions, and case management.

Trademarks

RSA Conference Logo, RSA, and other trademarks, are trademarks of RSA Security LLC or its affiliates ("RSA").
For a list of RSA trademarks, go to https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks
are trademarks of their respective owners.

License Agreement

This software and the associated documentation are proprietary and confidential to RSA Security LLC or its
affiliates are furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation, and any
copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby
transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to
civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements
applicable to third-party software in this product may be viewed on the product documentation page on RSA
Link. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of
encryption technologies, and current use, import, and export regulations should be followed when using,
importing or exporting this product.

Distribution

Use, copying, and distribution of any RSA Security LLC or its affiliates ("RSA") software described in this
publication requires an applicable software license. RSA believes the information in this publication is accurate
as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

© 2007-2023 RSA Security LLC or its affiliates. All Rights Reserved.

Revised January 2023

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Contents

Revision History 7

Preface 8

Audience 8

Support and Service 8

RSA Ready Partner Program 8

Chapter 1: Installing the PAM Agent 9

Overview of the RSA Authentication Agent 8.1 for PAM 9

Authentication Modes 10

PAM Agent Workflow 10

Supported Authentication Methods for the PAM Agent 11

Software Requirements 12

Required Operating Systems 12

SELinux Requirements for RHEL and Oracle Linux 13

RSA SecurID Authentication API Version Support 13

Authentication Manager Version Support 13

Cloud Authentication Service Version Support 14

Certificate Requirements 14

Supported Tools 14

OpenSSH Support (Optional) 15

Planning to Install the PAM Agent 15

Installing the RSA Authentication Agent 8.1 for PAM 18

Specify the Agent IP Address for UDP Mode 19

Configure OpenSSH 19

Install the PAM Agent 20

Before Installing the PAM Agent on RHEL 8.0 (64-bit) 20

Install the PAM Agent on One Machine 20

Bulk Install the PAM Agent with the Silent Installation 22

Enable SELinux 23

Upgrade to the RSA Authentication Agent 8.1 for PAM 24

Configuring Tools 25

Configure telnet 25

3
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Configure login 26

Configure rlogin 26

Configure su 26

Configure ssh and Related Tools 27

Configure sudo 27

Configure ftp 27

Configure gdm 28

Chapter 2: Configuring Features 29

Configuring Agent and UNIX Features 29

Enable Agent Reporting for SecurID Authentication Agent 8.1 for PAM 29

Enable Debug Output 30

Enable SecurID Trace Logging for UDP Mode 30

Configure Stackable Modules 30

Use Reserve Passwords 31

Enable Selective SecurID Authentication 32

Enable Selective SecurID Authentication for UNIX Groups 32

Enable Selective SecurID Authentication for UNIX Users 33

Configure Exponential Backoff Time 33

Replace the Server Trusted Root CA Certificate 34

Changing the PAM Agent Authentication Mode 35

Change from the UDP Protocol to the REST Protocol 35

Change from the REST Protocol to the UDP Protocol 37

Change Between Authentication Manager and the Cloud Authentication Service 37

Appendix A: Troubleshooting 41

Known Configuration Issues 41

Issues With Supported Tools 41

Upgrade and Uninstall Issues 42

Authentication Utilities for UDP Mode 43

Run the acetest Utility 43

Run the acestatus Utility 43

Conversion Utility for UDP Mode 44

Node Secrets for UDP Mode 45

Clear the Node Secret From SecurID Authentication Agent 8.1 for PAM 45

4
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Clear the Node Secret on the PAM Agent Machine 45

Generate a New Node Secret 46

Logging for the PAM Agent 46

Configure the System Log 46

PAM Agent Authentication Log Messages 46

Logging for REST Mode 47

Troubleshooting SELinux 48

Using the REST protocol on an Upgraded Agent 48

Enable Custom Path Settings 48

Configure Timeout and Retry Values for REST Authentication 49

Uninstall the RSA Authentication Agent 8.1 for PAM 49

Uninstall the PAM Agent from One Machine 50

Bulk Uninstall the PAM Agent in Silent Mode 50

Appendix B: Critical Configuration Files 51

Critical Configuration Files 52

5
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Revision History

Revision
Date Revision
Number
Added more details about the REST server URL and
1 June 2018 the client key for the two REST Protocol
authentication modes.
Added "Replace the Server Trusted Root CA
2 August 2018 Certificate" and link to knowledgebase article for
exporting trusted root CA certificate.
Added more details about authentication in
3 June 2019
REST mode.
4 July 2019 Added support for RHEL 7.6 (64-bit).
Added a note about file permissions for non-
5
August 2019 privileged users.
6 September 2019 Added support for RHEL 8.0 (64-bit)
Added a statement that the PAM agent in
REST mode uses the TCP protocol for deployments
7 November 2019
that require authentication agents to use IPv4 or
IPv6.
Added instructions for obtaining the RSA SecurID
8 October 2020 Authentication API REST URL from the Cloud
Administration Console.
Added information on supported authentication
methods.
9 December 2020 Added configuration details for using Authentication
Manager 8.5 as a secure proxy server for the Cloud
Authentication Service.
Added support for RHEL 7.8 (64-bit), 7.9 (64-bit),
10 January 2023 8.3 (64-bit), 8.5 (64-bit), 8.6 (64-bit), 9.0 (64-bit),
CentOS 7.9 (64-bit).

Revision History 7
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Preface

Audience

®
This guide is for network and system administrators who install, upgrade, and troubleshoot RSA Authentication
Agent for PAM (pluggable authentication module).

Support and Service

You can access community and support information on RSA Link at https://community.rsa.com. RSA Link
contains a knowledgebase that answers common questions and provides solutions to known problems, product
documentation, community discussions, and case management.

RSA Ready Partner Program

The RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardware
and software products that have been certified to work with RSA products. The website includes Implementation
Guides with step-by-step instructions and other information on how RSA products work with third-party
products.

8 Preface
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Chapter 1: Installing the PAM Agent

Overview of the RSA Authentication Agent 8.1 for PAM 9

Supported Authentication Methods for the PAM Agent 11

Software Requirements 12

Planning to Install the PAM Agent 15

Installing the RSA Authentication Agent 8.1 for PAM 18

Upgrade to the RSA Authentication Agent 8.1 for PAM 24

Configuring Tools 25

Overview of the RSA Authentication Agent 8.1 for PAM

The RSA Authentication Agent 8.1 for PAM (pluggable authentication module) supports authentication on UNIX
systems with standard or OpenSSH connection tools. The PAM agent uses RSA customized shared libraries, and
supports access to UNIX servers and workstations with the authentication methods supported by the Cloud
Authentication Service and Authentication Manager.

You can choose whether the PAM agent authenticates to the Cloud Authentication Service or Authentication
Manager. The SecurID Enterprise Edition license and the Premium Edition license include both of these
components of SecurID. Authentication Manager is not required to use the PAM agent.

Version 8.1 of the PAM agent offers the following new benefits:

l Support for the Cloud Authentication Service. The Cloud Authentication Service uses multifactor
authentication methods, such as Approve (mobile-optimized push notification), Authenticate Tokencode,
Device Biometrics, SMS Tokencode, Voice Tokencode, and RSA SecurID tokens to help secure access to
software as a service (SaaS) and on-premises web applications for users.
l Ability to access Authentication Manager with the REST protocol, instead of the UDP protocol.
l Continued support for the UDP protocol used by earlier versions of the PAM agent.
l Authentication Manager has agent reports that help you to manage your installed REST protocol
PAM agents. In REST mode, the PAM agent can send additional information to the Authentication
Manager server, such as a unique software ID number for each installed PAM agent and information on
the operating system used by the agent.

Using the PAM agent in REST mode offers additional advantages over using the UDP protocol:

l Makes it easy for your Authentication Manager deployment to integrate the Cloud Authentication
Service.
l You can add and maintain one authentication agent record in Authentication Manager and use it to
represent multiple installed agents.
l You can run multiple authentication agents on the same hardware more easily than you can using the
UDP protocol.

Chapter 1: Installing the PAM Agent 9

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

l Uses the TCP protocol for deployments that require authentication agents to use IPv4 or IPv6 network
settings or the IPv4 or IPv6 protocol.
l In the REST protocol authentication modes, version 8.1 of the PAM agent uses the FIPS-compliant
cryptographic library module fips-2.0.16 with OpenSSL version 1.0.2l. For more information, see
OpenSSL FIPS 140-2 Security Policy Version 2.0.16 at
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf.
l Requires fewer authentication agent updates for new features and enhancements than authentication
agents that do not use the REST protocol. Authentication agents that use the REST protocol are more
likely to take advantage of changes in Authentication Manager, thus reducing the number of updates
required on multiple agents.

Authentication Modes
You can install the PAM agent in one of three authentication modes. All modes provide
RSA SecurID authentication. You can change the mode after installation as needed. For instructions, see
Changing the PAM Agent Authentication Mode on page 35.

Authentication Mode Description

RSA SecurID hardware and software authenticators generate RSA SecurID
tokencodes. The agent verifies that the user-entered data matches the
data stored in Authentication Manager and allows or denies access based
Authentication Manager with the on the result.
UDP Protocol
By default, the PAM agent upgrade configures the agent to use the
UDP protocol. You can easily switch to a different authentication mode that
uses the REST protocol.
Support for all types of authentication supported by Authentication
Authentication Manager with the Manager over the REST protocol, such as RSA SecurID software and
REST Protocol hardware tokens and Authenticate Tokencode through an integration with
the Cloud Authentication Service component.
Supports Approve (mobile-optimized push notification), Authenticate
Tokencode, Device Biometrics, SMS Tokencode, Voice Tokencode, and
Cloud Authentication Service with
RSA SecurID tokens. FIDO, and authentication conditions requiring
the REST Protocol
combinations of methods (such as Approve AND RSA SecurID token) are
not supported.

RSA Authentication Agent 8.1 for PAM supports Authentication Manager trusted realms. Authentication Manager
risk-based authentication (RBA) is not supported.

PAM Agent Workflow

The PAM agent is installed on a UNIX server. It acts as an intermediary between authenticating users and either
the Authentication Manager server or the Cloud Authentication Service.

The PAM agent supports Authentication Manager security features. For example, if Authentication Manager
determines that the user associated with a particular token requires a new PIN, then the agent requests the PIN,
which has characteristics defined in Authentication Manager, and sends the information to Authentication
Manager. If Authentication Manager requests the next tokencode displayed on the user’s token, then the
PAM agent prompts the user. If the correct next tokencode is not sent to Authentication Manager, authentication
fails.

These steps describe the authentication flow for the PAM agent, in all three authentication modes:

10 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

1. A user attempts to access a machine protected by the PAM agent, either locally, with login, or remotely,
with tools such as rlogin, telnet, SSH, and FTP.

The user must exist locally on the machine on which the PAM agent is installed.

2. The UNIX pluggable authentication module (PAM) infrastructure intercepts all logon requests, and uses
PAM configuration files to access the RSA PAM module:
l If a user is not configured for RSA SecurID authentication, the RSA PAM module allows the
request to succeed.
l If the user requesting access is challenged by RSA SecurID, the PAM agent continues
authentication with step 3.

3. Based upon the PAM agent authentication mode, the agent contacts either Authentication Manager or
the Cloud Authentication Service.

For Authentication Manager with a UDP connection or the REST protocol, the following steps occur:

a. The agent prompts the user for the user name and then for the passcode.
b. The agent securely sends the user name and passcode to Authentication Manager:
l If Authentication Manager approves the request, the agent grants access to the user.
l If Authentication Manager does not approve the request, the agent denies access.

For the Cloud Authentication Service, the following steps occur:

a. The agent prompts the user for a user name, and sends the information to the Cloud
Authentication Service.
b. The Cloud Authentication Service provides the agent with the authentication methods configured
for the user in the assurance level of the Cloud Authentication Serviceaccess policy.
c. The agent prompts the user to authenticate.
d. The user chooses an available authentication method and authenticates:
l If the Cloud Authentication Service approves the request, the agent grants access to the
user.
l If an authentication method is unsuccessful, the Cloud Authentication Service prompts
the user for the next authentication method.
l If the Cloud Authentication Service does not approve the request, the agent denies
access.

Supported Authentication Methods for the PAM Agent

Scenario Authentication Methods

The following methods are supported:

l RSA SecurID Token

l SecurID Authenticate Tokencode
PAM agent connects to the Cloud
l Approve
Authentication Service
l Device Biometrics
l SMS Tokencode
l Voice Tokencode

Chapter 1: Installing the PAM Agent 11

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Scenario Authentication Methods

FIDO Tokens and authentication conditions requiring combinations of
methods (such as Approve AND RSA SecurID token) are not supported.
PAM agent connects to
Authentication Manager with the You can authenticate with RSA SecurID hardware and software tokens.
UDP protocol
Support for all types of authentication supported by Authentication
PAM agent connects to
Manager over the REST protocol, such as RSA SecurID software and
Authentication Manager with the
hardware tokens and Authenticate Tokencode through an integration with
REST protocol
the Cloud Authentication Service.
l Cloud Authentication Service methods are supported.
Direct connection to the Cloud
l Users are prompted for Authenticate Tokencode if the Cloud
Authentication Service uses
Authentication Service or the connection between Authentication
RSA Authentication Manager 8.5 as
Manager and the Cloud Authentication Service is temporarily
a secure proxy server.
unavailable or too slow.
Direct connection to l Authentication Manager methods are supported, and methods ,
RSA Authentication Manager 8.5 such as Authenticate Tokencode, that are supported through an
with the UDP protocol or the integration with the Cloud Authentication Service.
REST protocol. l Users are prompted for Authenticate Tokencode or RSA SecurID
Authentication Manager is passcode if the Cloud Authentication Service or the connection
connected to the Cloud between Authentication Manager and the Cloud Authentication
Authentication Service Service is temporarily unavailable or too slow.

Software Requirements

This section describes the minimum software versions supported by the PAM agent.

Required Operating Systems

The PAM agent requires one of the following operating systems:

l RHEL 6.10 (32-bit and 64-bit)

l RHEL 7.5 (64-bit)
l RHEL 7.6 (64-bit)
l RHEL 7.8 (64-bit)
l RHEL 7.9 (64-bit)
l RHEL 8.0 (64-bit)
l RHEL 8.3 (64-bit)
l RHEL 8.5 (64-bit)
l Note: Telnet tool is not installed by default.
l RHEL 8.6 (64-bit)
l RHEL 9.0 (64-bit)
l Note: Telnet-client and Telnet-server are not installed by default.
l CentOS 7.5 (64-bit)

12 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

l CentOS 7.9 (64-bit)

l Oracle Linux 6.10 (64-bit)
l Oracle Linux 7.5 (64-bit)
l SUSE Linux Enterprise Server 11 SP4 (32-bit and 64-bit)
l SUSE Linux Enterprise Server 12 SP3 (64-bit)
l SUSE Linux Enterprise Server 15 (64-bit)
l Solaris 10 SPARC Update 11 (32-bit and 64-bit) with Zones
l Solaris SPARC 11.2 (32-bit and 64-bit)
l Solaris SPARC 11.3 (32-bit and 64-bit)
l Solaris SPARC 11.4 (32-bit and 64-bit)
l Solaris 10 x86 Update 11 (32-bit)
l Solaris x86 11.2 (32-bit)
l AIX 7.1 TL3 (SP5) Power 6 (32-bit and 64-bit)
l AIX 7.2 TL1 (SP2) Power 8 (32-bit and 64-bit)
l Ubuntu 18.04
l Ubuntu 20.04 (64-bit)

The corresponding 32-bit or 64-bit version of libuuid.so (UUID library) must be installed on the PAM agent
machine.

SELinux Requirements for RHEL and Oracle Linux

If SELinux is enabled on any RHEL or Oracle Linux system, you must install the following packages before
installing SecurID Authentication Agent 8.1 for PAM:

selinux-policy-devel*.noarch.rpm
policycoreutils-devel*.rpm

If SELinux is enabled on RHEL 6.10 32-bit and 64-bit, or Oracle Linux 6.10 64-bit, you must install the following
packages before installing the SecurID Authentication Agent 8.1 for PAM:

setools-libs-3.3.7-4.el6.x86_64.rpm
setools-libs-python-3.3.7-4.el6.x86_64.rpm
audit-libs-python-2.4.5-3.el6.x86_64.rpm
libsemanage-python-2.0.43-5.1.el6.x86_64.rpm
policycoreutils-python-2.0.83-29.0.1.el6.x86_64
setroubleshoot-plugins-3.0.40-2.0.1.el6.noarch
setroubleshoot-server-3.0.47-11.0.1.el6.x86_64

RSA SecurID Authentication API Version Support

The SecurID Authentication Agent 8.1 for PAM supports the RSA SecurID Authentication API version 1.1 , which
is the current version of the REST APIs.

Authentication Manager Version Support

The following table lists the Authentication Manager versions that are required to support specific features.

Chapter 1: Installing the PAM Agent 13

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Required
Authentication Supported Feature
Manager Version
The PAM agent requires Authentication Manager 8.2
8.2 SP1 or later
SP1 or later.
If the agent reporting flag is enabled on the
8.2 SP1 Patch 5 or PAM agent, Authentication Manager 8.2 SP1 Patch 5
later or later is required to avoid failed authentications in
REST mode.
Authentication Manager 8.3 and later versions
include agent reports that help you to manage your
8.3 or later installed REST protocol PAM agents. These reports
include the additional information that the PAM agent
can send to Authentication Manager.
Authentication Manager 8.5 lets you use
RSA Authentication Manager as a secure proxy
server that sends any authentication requests that
Authentication Manager cannot validate directly to
the Cloud Authentication Service.
8.5 This authentication mode supports the all of the
authentication methods supported by the PAM agent.
It does not support certain Authentication Manager
features, such as agent reporting, enabling and
disabling or restricting agents, and failover to replica
instances for agents.

Cloud Authentication Service Version Support

The SecurID Authentication Agent 8.1 for PAM supports the RSA SecurID Authentication API version 1.1, which
is the current version of the REST APIs.

Certificate Requirements
The PAM agent uses TLS 1.2 certificates for the REST protocol. The Cloud Authentication Service and
RSA Authentication Manager 8.2 or later can accept these certificates. Deployments that do not use TLS 1.2
certificates must use the authentication mode that supports Authentication Manager with the UDP protocol.

In the REST protocol authentication modes, the PAM agent uses the FIPS-compliant cryptographic library
module fips-2.0.16 with OpenSSL version 1.0.2l. For more information, see OpenSSL FIPS 140-2 Security
Policy Version 2.0.16 at https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf.

Supported Tools
The PAM agent supports the following tools:

l telnet
l login
l rlogin

Note: RHEL 8.0 (64-bit) does not support rlogin. The rlogin tool continues to be supported by other
versions of RHEL.

14 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

l su
l ssh (ssh, sftp and scp)
l sudo

Download and install the supported sudo version from https://www.sudo.ws.

l ftp (limited to a single transaction)

l gdm

OpenSSH Support (Optional)

If you are using OpenSSH, verify that you are using the compatible version of OpenSSH for your platform.
OpenSSH is not required.

The following optional OpenSSH tools are supported:

l ssh
l sftp
l scp

Install OpenSSH on the agent machine. For OpenSSH, including prerequisites and the additional software
required for compiling source code, see https://www.openssh.com.

Planning to Install the PAM Agent

Before installing the PAM agent, do the following:

l On the machine where you are installing the PAM agent:

1. Obtain root permissions.
2. Create a /var/ace directory for PAM agent configuration files, if one does not already exist, and
create an installation directory.
3. Obtain the server trusted root CA certificate from Authentication Manager or the Cloud
Authentication Service. If you are using Authentication Manager 8.5 as a secure proxy server to
the Cloud Authentication Service, you require an Authentication Manager certificate. (For
instructions, see the knowledgebase article How to export RSA SecurID Access Authentication
Manager or Cloud Authentication Service Root Certificate.) Then do the following:
a. Verify that the certificate has not expired.
b. Store the certificate in PEM format. If there are multiple CA certificates, they need to be
concatenated into a single file in PEM format.

The file format should be like the following:

-----BEGIN CERTIFICATE-----

Thawte (BASE64)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Entrust (BASE64)

-----END CERTIFICATE-----

Chapter 1: Installing the PAM Agent 15

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

c. Copy filename.pem into the /var/ace/ directory.

d. Protect the /var/ace/ directory containing the certificates. Use the appropriate
privileges to restrict access to trusted administrators.

l To authenticate with Authentication Manager, create an authentication agent record for the PAM agent in
the internal database. For more information, contact your Authentication Manager Super Admin or see
the Authentication Manager Help on RSA Link.
l To authenticate with the UDP protocol, you must generate the Authentication Manager configuration file,
sdconf.rec, or obtain this file from your Authentication Manager Super Admin. This file is not needed for
authentication with the REST protocol.

The sdconf.rec file specifies how the agent communicates with the Authentication Manager primary
instance and replica instances by IP address. Do the following:

l Make sure the latest version of the sdconf.rec file is in an accessible directory on the agent
machine, such as the default /var/ace directory.
l You must have write permission to the directory in which the sdconf.rec file is stored.
l In the authentication mode that uses the Cloud Authentication Service with the REST Protocol, the
PAM agent relies upon the Cloud Authentication Service for load balancing and failover.
l In the authentication mode that uses Authentication Manager with the REST protocol, the PAM agent
does not support load balancing. The PAM agent supports failover to a maximum of 15 Authentication
Manager replica instances.
l If you are using Authentication Manager 8.5 as a secure proxy server to the Cloud Authentication
Service, you can use Authentication Manager with REST protocol mode or Cloud Authentication Service
mode, depending upon the authentication methods that are required. In each case, the PAM agent
connects to Authentication Manager. Collect the required information that is listed in the Authentication
Manager with the REST protocol table.
l Collect the information that you will provide while installing the PAM agent.

Authentication Manager with the UDP protocol. You can keep the default values or specify new
directories.

Description Your Plan

Directory where sdconf.rec is located. The
default value is /var/ace/.
Root path for the PAM agent directory. The
default value is /opt.

Authentication Manager with the REST protocol. Ask your Authentication Manager Super Admin for the
following information:

Description Your Plan

REST server URL for communication between
the authentication agent and the
Authentication Manager primary instance.
Use the following format:

https://HOSTNAME:PORT/mfa/v1_

16 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Description Your Plan

1/authn

On the primary instance obtain the

HOSTNAME value from the Fully Qualified
Domain Name field on the Administration
> Network > Appliance Network
Settings page of the Operations Console.
The default PORT is 5555.
Number of Authentication Manager replica
instances that can be used for failover.
REST server URL for each replica instance.
Use the following format:

https://HOSTNAME:PORT/mfa/v1_
1/authn

On the replica instance, obtain the HOSTNAME

value from the Fully Qualified Domain
Name field on the Administration >
Network > Appliance Network Settings
page of the Operations Console. The default
PORT is 5555.
Access Key (client key) for securely passing
user authentication requests to
Authentication Manager. This value is
generated in the Security Console on the
Authentication Manager primary instance.

For instructions on how to obtain the Access

Key, see the following topic on RSA Link:
Configure the RSA SecurID Authentication
API for Authentication Agents.
Enter the directory and filename for the
server trusted root certificate on the
authentication agent. The default value is
/var/ace/cert.pem.
Authentication agent name (Client ID) that
was created for the PAM agent in
Authentication Manager.
Root path for the PAM agent directory. The
default value is /opt.

Cloud Authentication Service with the REST protocol. Ask the Cloud Authentication Service Super Admin
for the following information:

Description Your Plan

REST server URL for communication between

Chapter 1: Installing the PAM Agent 17

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Description Your Plan

the agent and the Cloud Authentication
Service. Use the following format:

https://HOSTNAME/mfa/v1_1/authn

Obtain the hostname from the Cloud

Administration Console. Click My Account >
Company Settings > Authentication API
Keys. Copy the RSA SecurID
Authentication API REST URL.

You do not need to specify a port. The default

port is 443.
Authentication API key (client key) created in
the Cloud Administration Console for securely
passing user authentication requests to the
Cloud Authentication Service.

For instructions on how to obtain the

Authentication API key, see the following
topic on RSA Link: Add an RSA SecurID
Authentication API Key.
Directory and filename for the server trusted
certificate on the authentication agent. The
default value is /var/ace/cert.pem.
The Tenant ID is required. The PAM agent
must provide a value for the Tenant ID in
authentication requests.

For example, you can set the Tenant ID to the

the Company ID from the Cloud
Administration Console. To find the Company
ID, in the Cloud Administration Console, click
My Account > Company Settings and
select the Company Information tab.
Access policy name for the Cloud
Authentication Service. The policy name is
case-sensitive. This policy is defined in the
Cloud Administration Console.
CLIENT_ID authentication agent name to
display in mobile notifications. You can enter
any value. For example, PAM_Agent.
Root path for the PAM agent directory. The
default value is /opt.

Installing the RSA Authentication Agent 8.1 for PAM

Complete the following tasks to install the PAM agent:

18 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

1. Specify the Agent IP Address for UDP Mode below

2. Configure OpenSSH below
3. Install the PAM Agent on the next page
4. For UDP mode, perform a test authentication. For more information, see Authentication Utilities for
UDP Mode on page 43.

For a REST protocol mode, test the connection by accessing the REST server URL with any browser or
http client. For example, enter https://HOSTNAME:PORT/mfa/v1_1/authn. Because you are not
currently authenticating, your browser or http client should display a "Forbidden" or "Unauthorized"
HTTP response.

5. Enable SELinux on page 23 (if required).

Specify the Agent IP Address for UDP Mode

For UDP mode, you must create the sdopts.rec file in the same directory that is used by the sdconf.rec file.
This procedure does not apply to REST mode.

File Description
Lists the IP address for the machine where you installed the agent. The agent uses the IP
sdopts.rec
address in the sdopts.rec file to communicate with Authentication Manager.
sdconf.rec Specifies the IP addresses that are used by Authentication Manager.

Procedure
1. On the agent machine, use a text editor to create an sdopts.rec file in the path where the sdconf.rec
file is saved.
2. In the file, type:

CLIENT_IP=x.x.x.x

where x.x.x.x is the IP address of the agent host.

Note: Use only uppercase letters and do not include spaces.

3. Save the file.

Configure OpenSSH
If you are using OpenSSH, the suite of security-related network utilities based on the Secure Shell (SSH)
protocol, you must configure this software to work with the PAM agent and to display passcode authentication
messages to users.

Before you begin

Procedure
1. On the agent machine, open the sshd_config file.
2. Set the following parameters and save the changes:
Parameter Setting
UsePAM yes

Chapter 1: Installing the PAM Agent 19

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Parameter Setting
PasswordAuthentication no
ChallengeResponseAuthentication yes

Setting the PasswordAuthentication parameter to no disables the OpenSSH password prompt. The
PAM agent is used instead. As a result, the user is prompted for SecurID authentication only. However,
OpenSSH-8.7-P1 version and later can accept system-wide configurations. The system administration
should take care of this while configuring sshd daemon for RSA PAM agent.

3. Restart sshd. Type:

service sshd restart

Install the PAM Agent

You can either manually install the PAM agent on individual machines, or you can choose silent installation to
automate the process of deploying multiple copies of the PAM agent.

Before Installing the PAM Agent on RHEL 8.0 (64-bit)

On RHEL 8.0 (64-bit), type the following before you install the PAM agent:

mkdir /etc/selinux/targeted/modules

If SELinux is enabled, running the PAM agent installer may result in configuration messages such as “ValueError:
File context for /var/ace/.* already defined” or SELinux duplicate definition errors. You can safely ignore these
messages.

Install the PAM Agent on One Machine

Perform this task to install one PAM agent. To install the PAM agent on more then one machine, see Bulk Install
the PAM Agent with the Silent Installation on page 22.

Procedure
1. On the agent machine, change to the PAM agent installer directory.
2. Untar the file by typing:

tar -xvf filename.tar

3. Run the install script by typing:

/filename/install_pam.sh

4. Follow the prompts. Press ENTER to accept the default value, or enter the appropriate value.

For Authentication Manager UDP mode, do the following:

l Accept the License for RSA Software.

l Enter 0 to select the Authentication Manager with the UDP Protocol authentication mode.
l Enter the directory where sdconf.rec is located.
l Enter the PAM agent installation directory.

For Authentication Manager REST mode, do the following:

20 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

l Accept the License for RSA Software.

l Enter 1 to select the Authentication Manager with the REST Protocol authentication mode.
l Enter the REST server URL for communication between the authentication agent and the primary
instance.
l Enter y if there are Authentication Manager replica instances for failover.
l Specify the number of replica instances.
l Enter the REST server URL for each replica instance.
l Enter the client key (Access Key) for securely passing authentication requests to Authentication
Manager.
l Enter the directory and filename for the server trusted certificate on the authentication agent.
l Enter the client ID, which is the authentication agent name in Authentication Manager.
l Enter the PAM agent installation directory.

For Cloud Authentication Service REST mode, do the following:

l Accept the License for RSA Software.

l Enter 2 to select the Cloud Authentication Service with the REST Protocol authentication mode.
l Enter the REST server URL for communication between the authentication agent and the Cloud
Authentication Service.

If you are using Authentication Manager 8.5 as a proxy server to the Cloud Authentication
Service, enter the REST server URL for communication between the authentication agent and the
Authentication Manager primary instance.

l Enter the client key (Authentication API key) for securely passing authentication requests to the
Cloud Authentication Service.

If you are using Authentication Manager 8.5 as a proxy server, enter the client key (Access Key)
for securely passing authentication requests to Authentication Manager.

l Enter the directory and filename for the server trusted certificate on the authentication agent.
l Enter the tenant ID for the Cloud Authentication Service.
l If you are using Authentication Manager 8.5 as a proxy server, enter the same tenant ID that was
used to connect Authentication Manager to the Cloud Authentication Service.
l Enter the access policy name for the Cloud Authentication Service.
l Enter the CLIENT_ID authentication agent name to display in mobile notifications.
l Enter the PAM agent installation directory.

5. For UDP mode only, verify that VAR_ACE in the /etc/sd_pam.conf file points to the correct location of
the sdconf.rec file. This is the path to the configuration files. The entire path must have -rw------- root
permission.

After you finish

l You can verify the installation by checking the installer.log file in the PAM agent installer directory.
l For UDP mode, perform a test authentication. For more information, see Authentication Utilities for
UDP Mode on page 43.

Chapter 1: Installing the PAM Agent 21

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

l For a REST protocol mode, test the connection by accessing the REST server URL with any browser or
http client. For example, enter https://HOSTNAME:PORT_NO/mfa/v1_1/authn. Because you are not
currently authenticating, your browser or http client should display a "Forbidden" or "Unauthorized"
HTTP response.

Bulk Install the PAM Agent with the Silent Installation

Perform this task to deploy a large number of PAM agents with identical configuration information. For example,
perform this task if you need to install a large number of agents that communication with the same
Authentication Manager servers or the same Cloud Authentication Service.

Before you begin

Install the PAM agent manually and record the prompts. For instructions, see Install the PAM Agent on One
Machine on page 20.

Procedure
1. Create a text-based configuration file where you will specify configuration options for the PAM agent
install script. You can choose any name for the configuration file, such as installoptions.conf.
2. Open the file and list each configuration option you want to select on a separate line, in the same order
that the prompts are presented during a manual installation of the PAM agent.

The following example describes the corresponding prompt for each option specified in the
UDP configuration:

Example
Option
Value
Continue silent installation? (y) This prompt is always included
y
first.
Accept Accept license terms and conditions? (Accept)

Authentication mode? (numerical value for desired mode)

0 0: RSA Authentication Manager with the UDP Protocol

1: RSA Authentication Manager with the REST Protocol

2: Cloud Authentication Service with the REST Protocol

/var/ace Directory containing sdconf.rec? (directory path)
/opt Installation path for PAM agent directory? (directory path)
y Upgrade/overwrite existing installation? (y/n)

In this case, the text-based configuration file would contain:

y
Accept
0
/var/ace
/opt
y

22 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

As another example, for Authentication Manager REST mode, the configuration file might contain data
that is similar to the following:

y
Accept
1
https://am821.example.com:5555/mfa_v1_1/authn
0i78x21rih887gb48126ufxh4g63orh3a3rt28k5416a2b3jxh05h86i7gntjfh3
/var/ace/cert.pem
sp7-dp33.network.com
/opt
y

Note: The number and order of the install prompts vary depending on the PAM agent mode and
platform you are installing.

3. Change to the PAM agent installer directory.

4. Untar the file by typing:

tar -xvf filename.tar

5. Run the install script by typing:

/filename/install_pam.sh -s < installoptions.conf

where installoptions.conf is the configuration file you created in Step 1. if the configuration file is in
different location than current directory, specify the full path to the installoptions.conf file.

Enable SELinux
After you install the PAM agent, you can enable SELinux (Security-Enhanced Linux).

Before you begin

l On the agent machine, verify that the PAM agent is successfully working.

For example, in UDP mode, perform a test authentication, or in REST mode, try pinging an
Authentication Manager server or the Cloud Authentication Service. For more information on testing
UDP mode, see Authentication Utilities for UDP Mode on page 43.

l Create a backup of the /etc/sd_pam.conf and /var/ace directories.

l To avoid blocking access to the PAM agent machine, configure the RSA SecurID protected tools to use
the standard PAM module provided with your operating system, and not the RSA PAM module. Revert the
tool configuration to work without the RSA Authentication Agent 8.1 for PAM.

Close any active sessions using the RSA PAM modules.

Note: If you uninstall the RSA module while there are references to the RSA module in the /etc/pam.d
directory, you will be locked out of your system.

Procedure
1. On the agent machine, enable SELinux.
2. Reinstall the PAM agent to create SELinux policies for all of the tools:

Chapter 1: Installing the PAM Agent 23

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

a. Run the install script by typing:

/<filename>/install_pam.sh

b. Type y when the installer prompts you to overwrite your current installation.
c. Overwrite the existing SELinux policy. When prompted, type y or press ENTER to select the
default yes value.

After you finish

l Enable auth required pam_securid.so for any configured tool, and test authentication.
l If SELinux is enabled, and the cert.pem file is installed in a custom directory, instead of the default
/var/ace/ directory, you must enable selinux policy on the custom directory.

Execute the following commands, where cust_cert is the custom certificate directory:

semanage fcontext -a -t var_t '/cust_cert/cert.pem'

restorecon -v '/cust_cert/cert.pem'

Upgrade to the RSA Authentication Agent 8.1 for PAM

You can upgrade to RSA Authentication Agent 8.1 for PAM from version 7.1 Patch 2 (7.1.0.2) or from version
8.0.

When upgraded from 7.1.0.2, the upgraded agent uses Authentication Manager and UDP protocol for
authentication. You can change the authentication mode to take advantage of the Cloud Authentication Service
or Authentication Manager and the REST protocol. For instructions, see Changing the PAM Agent Authentication
Mode on page 35.

When upgraded from 8.0, the upgraded agent retains the same authentication mode that was configured for the
previous version.

Before you begin

l You must have root permissions on the agent host and write permission to the directory in which the
sdconf.rec file is stored. This file is usually stored in the default /var/ace directory.
l Back up the configuration files before overwriting to save the configuration settings. For more
information, see Critical Configuration Files on page 52.
l Configure the RSA SecurID protected tools to use the standard PAM module provided with your operating
system, and not the RSA PAM module. Any active sessions using the RSA PAM modules must be closed
before you proceed with the upgrade.
l On RHEL 8.0 (64-bit), type the following before you upgrade the PAM agent:

mkdir /etc/selinux/targeted/modules

If SELinux is enabled, running the PAM agent installer may result in configuration messages such as
“ValueError: File context for /var/ace/.* already defined” or SELinux duplicate definition errors. You can
safely ignore these messages.

24 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Procedure
1. On the agent machine, change to the PAM agent installer directory.
2. Untar the file by typing:

tar -xvf filename.tar

3. Run the install script by typing:

/<filename>/install_pam.sh

4. Overwrite the existing installation files. Type y when the installer prompts you to overwrite your current
installation.
5. If SELinux is enabled and you plan to use the REST protocol for authentication, you must overwrite the
existing SELinux policy. When prompted, type y or press ENTER to select the default yes value.

If you type n, some tools will be unable to authenticate with the REST protocol. However, you can
overwrite the existing SELinux policy by running the install script again. Files that are already upgraded
are not affected.

6. Obtain the agent version number to determine if the upgrade succeeded. Type:

strings pam_securid.so | grep "Agent"

This returns the version number of the installed agent.

Configuring Tools

You must configure the supported tools to prompt users with the authentication methods supported by the
Cloud Authentication Service and Authentication Manager.

Note: The number of allowed concurrent users settings on the Unix server should be set up for each tool, the
operating system being used, and the expected concurrent logons to the server, especially when using the Cloud
Authentication Service. For example, configure the “MaxStartups” setting in the /etc /ssh/sshd_config file
for SSH and the “Instances” setting in the /etc/xinetd.d/telnet file for telnet.

Configure telnet below

Configure login on the next page

Configure rlogin on the next page

Configure su on the next page

Configure ssh and Related Tools on page 27

Configure sudo on page 27

Configure ftp on page 27

Configure gdm on page 28

Configure telnet
Configure telnet to prompt users for the authentication methods supported by the Cloud Authentication Service
and Authentication Manager.

Chapter 1: Installing the PAM Agent 25

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Procedure
Note: PAM agent 8.1 does not support kerberos telnet.

1. Change to the /etc/pam.d directory.

2. Open the remote file.
3. Comment any lines beginning with auth.
4. Add the line:

auth required pam_securid.so

5. For Oracle Linux 6.8 (64-bit) only, repeat these steps for the /etc/pam.d/login file.

For all other versions of RHEL and Oracle Linux, the procedure is complete.

Configure login
Configure the login command to prompt users for the authentication methods supported by the Cloud
Authentication Service and Authentication Manager.

1. Change to the /etc/pam.d directory.

2. Open the login file.
3. Comment lines beginning with auth.
4. Add the line:

auth required pam_securid.so

Configure rlogin
Configure the rlogin utility to prompt users for the authentication methods supported by the Cloud
Authentication Service and Authentication Manager.

Before you begin

If rlogin is not working on RHEL 6.8 or Oracle Linux 6.8, follow the procedures in Known Configuration Issues on
page 41.

Note: RHEL 8.0 (64-bit) does not support rlogin. The rlogin tool continues to be supported by other versions of
RHEL.

Procedure
1. Change to the /etc/pam.d directory.
2. Open the rlogin file.
3. Comment lines beginning with auth.
4. Add the line:

auth required pam_securid.so

Configure su
Configure the su command to prompt users for the authentication methods supported by the Cloud
Authentication Service and Authentication Manager.

26 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Procedure
1. Change to /etc/pam.d directory.
2. Open the su file.
3. Comment any lines that begin with auth.
4. Add the line:

auth required pam_securid.so

Configure ssh and Related Tools

You can configure SSH and related tools, such as scp and sftp, to prompt users for the authentication methods
supported by the Cloud Authentication Service and Authentication Manager.

Procedure
1. Change to the /etc/pam.d directory.
2. Open the sshd file.
3. Comment lines beginning with auth.
4. Add the line:

auth required pam_securid.so

Configure sudo
If you require sudo, you must configure the sudo command to prompt users for the authentication methods
supported by the Cloud Authentication Service and Authentication Manager.

Before you begin

Download and install the supported sudo version from https://www.sudo.ws.

Procedure
1. Change to the /etc/pam.d directory.
2. Open the sudo file.
3. Comment any lines that begin with auth.
4. Add the line:

auth required pam_securid.so

Configure ftp
Configure the ftp protocol to prompt users for the authentication methods supported by Authentication
Manager.

You cannot use the Cloud Authentication Service to protect ftp; However, you can use sftp. For instructions, see
Configure ssh and Related Tools above.

Procedure
1. Change to the /etc/pam.d directory.
2. Open the vsftpd file.
3. Comment lines beginning with auth.

Chapter 1: Installing the PAM Agent 27

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

4. Add the line:

auth required pam_securid.so

Configure gdm
You can configure gdm to prompt users for the authentication methods supported by the Cloud Authentication
Service and Authentication Manager.

Procedure
1. Change to the /etc/pam.d directory.
2. Modify the gdm,gdm-password and gdm-autologinfiles as follows:
a. Open each gdm file.
b. Comment any lines that begin with auth.
c. Add the line:

auth required pam_securid.so

28 Chapter 1: Installing the PAM Agent

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Chapter 2: Configuring Features

Configuring Agent and UNIX Features 29

Changing the PAM Agent Authentication Mode 35

Configuring Agent and UNIX Features

You can customize the PAM agent configuration to use optional agent and UNIX features.

Note: Before customizing the agent, make backup copies of the original configuration files.

Multiple configuration files are located in the /etc/pam.d directory. Each file uses the name of the connection
tool.

To customize the agent, see:

Enable Agent Reporting for SecurID Authentication Agent 8.1 for PAM below

Enable Debug Output on the next page

Enable SecurID Trace Logging for UDP Mode on the next page

Configure Stackable Modules on the next page

Use Reserve Passwords on page 31

Enable Selective SecurID Authentication on page 32

Configure Exponential Backoff Time on page 33

Enable Agent Reporting for SecurID Authentication Agent 8.1 for PAM
You can configure the ENABLE_AGENT_REPORTING parameter in the mfa_api.properties file to send agent
details, such as the hostname, agent version, and OS version, to Authentication Manager. You can use
Authentication Manager 8.3 or later to run reports that include these details.

Before you begin

You must have root permissions on the machine where the agent is installed and write permission to the
directory in which the mfa_api.properties file is stored. By default, this file is stored in /var/ace/conf.

Procedure
1. Change to the directory where mfa_api.properties is located. By default, the directory is
/var/ace/conf.
2. Open mfa_api.properties.
3. Change the ENABLE_AGENT_REPORTING parameter to 1, which enables agent reporting. The default
value is 0.
4. Save the file.

Chapter 2: Configuring Features 29

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Details of the PAM agent and the machine that it is installed on are included in PAM agent reporting
details that are sent to Authentication Manager.

Enable Debug Output

For troubleshooting, you can enable debug output for specific tools that are used by the PAM agent.

You can also configure the system log to record all PAM agent authentication log messages. For more
information, see Logging for the PAM Agent on page 46.

Procedure
1. Change to the /etc/ directory, and open the pam.d file.
2. Edit the appropriate file by adding a debug argument for the pam_securid.so module. Type:

auth required pam_securid.so debug

Enable SecurID Trace Logging for UDP Mode

You can enable detailed SecurID trace logging for the PAM agent and for the authentication utilities acetest and
acestatus. By default, when you install the PAM agent, SecurID trace logging is disabled.

Procedure
1. Change to the /etc/ directory, and open the sd_pam.conf file.
2. To enable detailed agent logging and set the level of logging, set the following variable:

RSATRACELEVEL=value

Where value is a setting from the following table.

Value Description
0 Disables logging (default)
1 Logs regular messages
2 Logs function entry points
4 Logs function exit points
8 All logic flow controls use this (ifs)

For combinations, add the corresponding values. For example, to log regular messages and function
entry points, set the value to 3.

3. Specify the file path where the logs are redirected. Set the following variable:

RSATRACEDEST=filepath

Where filepath is the file path.

By default this variable is blank. If you do not set this variable, the logs go to standard error for
authentication utilities acetest and acestatus, and no logs are generated for authentication tools, even if
the RSATRACELEVEL value has been specified.

4. Save your changes.

Configure Stackable Modules

In a stacked configuration, you use the agent to integrate the RSA SecurID PAM authentication module with

30 Chapter 2: Configuring Features

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

other PAM authentication modules in your environment. The password or passcode is passed from the one
authentication module to the next one. You can configure the priority of authentication challenges by editing the
appropriate /etc/pam.d/tool name configuration file.

Note: The arguments use_first_pass and try_first_pass are not supported when a stacked configuration is used
with the Cloud Authentication Service.

The agent works with these arguments:

l use_first_pass. The agent uses only the password or passcode passed from the previous module, and
denies access if the credentials do not match. The user is not prompted for authentication again.
l try_first_pass. The agent uses the password or passcode passed from the previous module. If the
credentials do not match, the user is prompted for authentication.
l not_set_pass. The agent does not send the password or passcode to the stacked password module.

Note: When users excluded from SecurID authentication make failed login attempts to access the RSA PAM
module, the exponential backoff feature ensures that RSA PAM module retains control until login is successful or
the authentication session ends. For more information on configuring exponential backoff time, see Configure
Exponential Backoff Time on page 33.

The following section provides an example of how to configure a connection tool (login tool) in a stacked
environment.

Procedure
1. Change to /etc/pam.d and open the login file.

The following text is displayed:

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open

2. Comment the following lines:

auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
3. Add the following lines. Type:
auth required pam_securid.so

Use Reserve Passwords

The reserve password feature is an emergency access method that enables you, the administrator, to
authenticate to the protected machine on which the agent is installed without entering an RSA SecurID

Chapter 2: Configuring Features 31

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

passcode. The PAM agent allows only root administrators to use reserve passwords during unforeseen
circumstances, such as loss of communication between the agent and SecurID Authentication Agent 8.1 for
PAM. In these situations, administrators can temporarily disable the agent, if users require immediate access to
the hosted resources.

Note: The UNIX password is the reserve password.

Procedure
1. Open the appropriate file in /etc/pam.d.
2. Add a reserve argument to the pam_securid.so module. Type:

auth required pam_securid.so reserve

Enable Selective SecurID Authentication

You can configure the agent to selectively always or never prompt specific UNIX users or groups for
SecurID authentication:

Enable Selective SecurID Authentication for UNIX Groups below

Enable Selective SecurID Authentication for UNIX Users on the facing page

Note: When both selective group support and selective user support are enabled, only selective user support is
enabled, and selective group support is ignored.

The following table lists the possible values which can be set in the sd_pam.conf file.

ENABLE_ ENABLE_
GROUPS_ USERS_ Result
SUPPORT SUPPORT
0 0 Neither feature is enabled. Every user and user group gets challenged.
Selected user support is enabled.
0 1 The PAM agent always prompts specific UNIX users to authenticate with
SecurID, or never prompts specific users to authenticate with SecurID.
Selected group support is enabled.
1 0 The PAM agent always prompts specific UNIX groups to authenticate with
RSA SecurID, or never prompts specific groups to authenticate with SecurID.
Selected user support is enabled.
1 1 The PAM agent always prompts specific UNIX users to authenticate with
SecurID, or never prompts specific users to authenticate with SecurID.

Enable Selective SecurID Authentication for UNIX Groups

You can configure the PAM agent to always or never prompt specific UNIX groups to authenticate with
RSA SecurID. When the PAM agent is installed, this feature is not enabled.

Group members excluded from SecurID authentication can be authenticated either with UNIX credentials or
through another PAM module in the stack. To do this, configure the PAM_IGNORE_SUPPORT parameter.

Note: Do not specify Authentication Manager groups. This feature is for UNIX groups only.

32 Chapter 2: Configuring Features

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Procedure
1. Change to the /etc directory, and open the sd_pam.conf file.
2. Set the ENABLE_GROUP_SUPPORT parameter to 1. The default value is 0.
3. Populate the LIST_OF_GROUPS parameter.
4. Set the value for the INCL_EXCL_GROUPS parameter.
Valid values are:
0—Disable SecurID authentication for the listed groups (default).
1—Enable SecurID authentication only for the listed groups.
5. (Optional) Set the PAM_IGNORE_SUPPORT parameter.
Valid values are:
0—Enable UNIX password authentication (default).
1—Disable UNIX password authentication.
This parameter applies only to groups excluded from SecurID authentication.
6. Save the file.

Enable Selective SecurID Authentication for UNIX Users

You can configure the PAM agent to always or never prompt specific UNIX users to authenticate with SecurID.
When the PAM agent is installed, this feature is not enabled.

Users excluded from SecurID authentication can be authenticated either with UNIX credentials or through
another PAM module in the stack. To do this, configure the PAM_IGNORE_SUPPORT_FOR_USERS parameter.

Procedure
1. Change to the /etc directory, and open the sd_pam.conf file.
2. Set the ENABLE_USERS_SUPPORT parameter to 1. The default value is 0.
3. Populate the LIST_OF_USERS parameter.
4. Set the value for the INCL_EXCL_USERS parameter.
Valid values are:
0—Disable SecurID authentication for the listed users (default).
1—Enable SecurID authentication only for the listed users.
5. (Optional) Set the PAM_IGNORE_SUPPORT_FOR_USERS parameter.
Valid values are:
0—Enable UNIX password authentication (default).
1—Disable UNIX password authentication.
This parameter applies only to users excluded from SecurID authentication.
6. Save the file.

Configure Exponential Backoff Time

You can configure the time that a user who is excluded from RSA SecurID authentication is required to wait
before authenticating after each successive failed login attempt. By default, users can retry UNIX authentication
after a failed login attempt with a pow(4, failattempts) second delay. For example, three failed login attempts
result in a 64-second delay (four to the power of three, or 4 X 4 X 4 = 64).

Note: The ftp protocol does not support Exponential Backoff Delay.

Chapter 2: Configuring Features 33

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Procedure
1. Change to the /etc directory, and open the sd_pam.conf file.
2. Set the BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS parameter to N, as follows:

N Authentication Behavior
Disable retry UNIX authentication after a failed
0 login attempt. There is no authentication delay for
login attempts that follow a failed login attempt.
Enable retry UNIX authentication after a failed
1,2,3 login attempt with a pow(3, failattempts) second
delay.
Enable retry UNIX authentication after a failed
4 login attempt with a pow(4, failattempts) second
delay.
Enable retry UNIX authentication after a failed
5/Above login attempt with a pow(5/Above, failattempts)
second delay.

Replace the Server Trusted Root CA Certificate

You might need to replace the server trusted root CA certificate, for example, if the current Authentication
Manager or Cloud Authentication Service certificate is updated.

For instructions on obtaining this certificate, see the knowledgebase article How to export RSA SecurID Access
Authentication Manager or Cloud Authentication Service Root Certificate.

Before you begin

l You must have root permissions to the /var/ace directory on the machine where the PAM agent is
installed.

l Confirm that the new certificate is in PEM format. If there are multiple CA certificates, they need to be
concatenated into a single file in PEM format.

The file format should be like the following:

-----BEGIN CERTIFICATE-----

Thawte (BASE64)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Entrust (BASE64)

-----END CERTIFICATE-----

Procedure
1. Rename the new root certificate so it has the same name as the certificate you are replacing.

2. On the machine where the PAM agent is installed, copy and replace new_cert_file.pem into the
/var/ace/ directory.

34 Chapter 2: Configuring Features

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Changing the PAM Agent Authentication Mode

You can change the authentication mode for the PAM agent. For example, you can change the mode if you want
to use the expanded authentication options that are provided by the Cloud Authentication Service. By default,
an upgraded PAM agent uses Authentication Manager with the UDP protocol.

Change from the UDP Protocol to the REST Protocol

You can change the UDP protocol authentication mode to the REST protocol for SecurID Authentication Agent
8.1 for PAM or the Cloud Authentication Service.

Before you begin

l You must have root permissions on the machine where the agent is installed.
l You must have write permission to the directory in which the sdconf.rec file is stored. By default, this
file is stored in /etc.
l You must have write permission to the directory in which the mfa_api.properties file is stored. By
default, this file is stored in /var/ace/conf.
l Collect the required information.

For Authentication Manager authentication with the REST protocol, ask your Authentication Manager
Super Admin for the following information.
Parameter Description
REST server URL for communication between the authentication agent and the
Authentication Manager primary instance. Use the following format:

https://HOSTNAME:PORT/mfa/v1_1/authn
REST_URL
On the primary instance obtain the HOSTNAME value from the Fully Qualified
Domain Name field on the Administration > Network > Appliance Network
Settings page of the Operations Console. The default PORT is 5555.
A REST server URL for each replica instance that can be used for failover. Use the
following format:
REPLICA_number
https://HOSTNAME:PORT/mfa/v1_1/authn
Where number is
from 1 to 15. On the replica instance, obtain the HOSTNAME value from the Fully Qualified
Domain Name field on the Administration > Network > Appliance Network
Settings page of the Operations Console. The default PORT is 5555.
Access Key (client key) for securely passing user authentication requests to
Authentication Manager.This value is generated in the Security Console on the
CLIENT_KEY Authentication Manager primary instance.

For instructions on how to obtain the Access Key, see the following topic on RSA
Link: Configure the RSA SecurID Authentication API for Authentication Agents.
CA_CERT_FILE_ Directory and filename for the server trusted certificate on the authentication
PATH agent. The default value is /var/ace/cert.pem.
Authentication agent name (Client ID) that was created for the PAM agent in
CLIENT_ID
Authentication Manager.
For authentication with the Cloud Authentication Service, ask the Cloud Authentication Service Super

Chapter 2: Configuring Features 35

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Admin for the following information.

Parameter Description
REST server URL for communication between the agent and the Cloud
Authentication Service. Use the following format:

https://HOSTNAME/mfa/v1_1/authn
REST_URL
For the Cloud Authentication Service, obtain the HOSTNAME value. In the Cloud
Administration Console, click My Account > Company Settings >
Authentication API Keys. Copy the RSA SecurID Authentication API REST
URL.The default PORT is 443.
Authentication API key (client key) created in the Cloud Administration Console for
securely passing user authentication requests to the Cloud Authentication Service.
CLIENT_KEY
For instructions on how to obtain the Authentication API key, see the following topic
on RSA Link: Add an RSA SecurID Authentication API Key.
CA_CERT_FILE_ Enter the directory and filename for the server trusted certificate on the
PATH authentication agent. The default value is /var/ace/cert.pem.
The Tenant ID is required. The PAM agent must provide a value for the Tenant ID in
authentication requests.

TENANT_ID For example, you can set the Tenant ID to the the Company ID from the Cloud
Administration Console. To find the Company ID, in the Cloud Administration
Console, click My Account > Company Settings and select the Company
Information tab.
ASSURANCE_ Access policy name for the Cloud Authentication Service. The policy name is case-
POLICY_ID sensitive. This policy is defined in the Cloud Administration Console.
CLIENT_ID authentication agent name to display in mobile notifications. You can
CLIENT_ID
enter any value. For example, PAM_Agent.

Procedure
1. Change to the directory where sd_pam.conf is located. The default location is /etc.
2. Open sd_pam.conf.
3. Change the OPERATION_MODE parameter:
l For Authentication Manager with the REST protocol, enter 1.
l For the Cloud Authentication Service with the REST protocol, enter 2.

If the OPERATION_MODE parameter is 0, not specified or commented out, then the PAM agent defaults
to UDP mode.

4. Change to the directory /var/ace/conf. You need to update the mfa_api.properties file.
5. Open mfa_api.properties.
6. Remove comments to enable the required parameters.
7. Enter a value for each required parameter.
8. Save the file.

You can now use the REST protocol.

36 Chapter 2: Configuring Features

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

After you finish

If SELinux is enabled, you must run the following command, where REST_port_number is the port used for
REST authentication (the default port is 5555):

semanage port -a -t dns_port_t -p tcp REST_port_number

Change from the REST Protocol to the UDP Protocol

After installing the PAM agent to use the REST protocol, you can change the authentication mode to use
SecurID Authentication Agent 8.1 for PAM with the UDP Protocol.

After you change the authentication mode to use the UDP protocol, the REST protocol configuration settings in
the mfa_api.properties file no longer applies.

Before you begin

l The Authentication Manager configuration file, sdconf.rec, is required. You can generate this file in
Authentication Manager or obtain this file from your Authentication Manager Super Admin. For more
information, see Planning to Install the PAM Agent on page 15.
l You must have root permissions on the machine on which the agent is installed and write permission to
the directory in which the sd_pam.conf file is stored. By default, this file is stored in the /etc directory.

Procedure
1. Change to the directory where sd_pam.conf is located. The default location is /etc.
2. Open sd_pam.conf.
3. Change the OPERATION_MODE parameter to 0 for the UDP protocol:

OPERATION_MODE=0

If the OPERATION_MODE parameter is 0, not specified or commented out, then the PAM agent defaults
to UDP mode.

4. Copy sdconf.rec to the /var/ace directory.

You can now use the UDP protocol.

Change Between Authentication Manager and the Cloud Authentication Ser-

vice
You can change whether the PAM agent uses the REST protocol with Authentication Manager or the Cloud
Authentication Service.

If you are using Authentication Manager 8.5 as a secure proxy server to the Cloud Authentication Service, you
might want to use all of the authentication methods supported by the Cloud Authentication Service. To do so,
select Cloud Authentication Service mode. If you want Authentication Manager 8.5 to handle authentication and
only send authentication requests that it cannot validate to the Cloud Authentication Service, select
Authentication Manager mode. In both cases, you must use the REST server URL and the Authentication API key
(client key) for Authentication Manager.

Chapter 2: Configuring Features 37

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Before you begin

l You must have root permissions on the machine on which the agent is installed.
l You must have write permission to the directory in which the sdconf.rec file is stored. By default, this
file is stored in /var/ace.
l You must have write permission to the directory in which the mfa_api.properties file is stored. By
default, this file is stored in /var/ace/conf.
l The parameter CA_CERT_FILE_PATH for the server trusted certificate can remain the same. For the
other parameters, collect the required information:
For Authentication Manager authentication with the REST protocol, ask your Authentication Manager
Super Admin for the following information:
Parameter Description
REST server URL for communication between the authentication agent and the
Authentication Manager primary instance. Use the following format:

REPLICA_number https://HOSTNAME:PORT/mfa/v1_1/authn
Where number is from
On the replica instance, obtain the HOSTNAME value from the Fully Qualified
1 to 15.
Domain Name field on the Administration > Network > Appliance
Network Settings page of the Operations Console. The default PORT is 5555.
Access Key (client key) for securely passing user authentication requests to
Authentication Manager. This value is generated in the Security Console on the
CLIENT_KEY Authentication Manager primary instance.

For instructions on how to obtain the Access Key, see the following topic on RSA
Link: Configure the RSA SecurID Authentication API for Authentication Agents.
Authentication agent name (Client ID) that was created for the PAM agent in
CLIENT_ID
Authentication Manager.
For authentication with the Cloud Authentication Service, ask the Cloud Authentication Service Super
Admin for the following information:
Parameter Description
REST server URL for communication between the agent and the Cloud
Authentication Service. Use the following format:

https://HOSTNAME/mfa/v1_1/authn
REST_URL Obtain the hostname from the Cloud Administration Console. Click My
Account > Company Settings > Authentication API Keys. Copy the RSA
SecurID Authentication API REST URL.

You do not need to specify a port. The default port is 443.

Authentication API key (client key) created in the Cloud Administration Console
CLIENT_KEY
for securely passing user authentication requests to the Cloud Authentication

38 Chapter 2: Configuring Features

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Parameter Description
Service.

For instructions on how to obtain the Authentication API key, see the following
topic on RSA Link: Add an RSA SecurID Authentication API Key.
The Tenant ID is required. The PAM agent must provide a value for the Tenant
ID in authentication requests.

TENANT_ID For example, you can set the Tenant ID to the the Company ID from the Cloud
Administration Console. To find the Company ID, in the Cloud Administration
Console, click My Account > Company Settings and select the Company
Information tab.
ASSURANCE_POLICY_ Access policy name for the Cloud Authentication Service. The policy name is
ID case-sensitive. This policy is defined in the Cloud Administration Console.
CLIENT_ID authentication agent name to display in mobile notifications. You
CLIENT_ID
can enter any value. For example, PAM_Agent.

If the OPERATION_MODE parameter is 0, not specified or commented out, then the PAM agent defaults
to UDP mode.

4. Change to the directory /var/ace/conf. You must update the required values for the parameters in the
mfa_api.properties file.
5. Open mfa_api.properties.
6. Remove comments to enable the required parameters, and comment out any parameters that are no
longer needed.
7. Enter a value for each required parameter.
8. Save the file.

You can now use the REST protocol with the new authentication mode.

Chapter 2: Configuring Features 39

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Appendix A: Troubleshooting

Known Configuration Issues 41

Authentication Utilities for UDP Mode 43

Conversion Utility for UDP Mode 44

Node Secrets for UDP Mode 45

Logging for the PAM Agent 46

Logging for REST Mode 47

Troubleshooting SELinux 48

Configure Timeout and Retry Values for REST Authentication 49

Uninstall the RSA Authentication Agent 8.1 for PAM 49

Known Configuration Issues

This section describes known issues.

Issues With Supported Tools

Tool Known Issue
Problem: Display limitations can cause two problems for users:

l Authenticating users cannot see the entire message about available authentication
methods.
dtlogin
l Reserve password users can see a partial text entry field on screens where it is not needed.

Solution: Authenticating users can press ENTER, as instructed on the screen, to see the full
message. Reserve password users can ignore the unnecessary field.
l Problem: When you use SecurID to protect ftp, the SecurID authentication prompts and
error messages are not displayed to users. Only standard operating system (OS) prompts
and error messages are displayed.
Solution: Instruct users to enter their user names at the OS user name prompt, and their
SecurID passcodes at the OS password prompt.
ftp
If a user doesn't know the token status (for example, if the token is in the Next Tokencode
mode, or the New PIN mode), the user must to authenticate with another connection tool,
such as rlogin to verify that the PIN or tokencode is still valid.
l FTP does not support Exponential Backoff Delay.
l You cannot use the Cloud Authentication Service to protect ftp; however, sftp is supported.
Problem: After a user makes three unsuccessful SecurID authentication attempts in a single
ssh session, the connection is closed.
Solution: The user can terminate the session and start another session.

Appendix A: Troubleshooting 41
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Tool Known Issue

Problem:When SELinux is enabled, an ftp tool user sees the message "500 OOPS: cannot change
ftp with directory:/home/tzfFjG_9su."
SELinux Solution: On the agent machine, execute the "setsebool -P ftp_home_dir on" command, where
home_dir is the user's home directory.
Problem:PAM agent messages may get truncated.
gdm
Solution:The gdm theme can be configured appropriately to avoid this issue.
Problem: On RHEL 6.8, before rlogin is configured to work with the PAM agent, rlogin connections
are getting closed.
Solution: Make sure that rlogin works before configuring the PAM agent. Follow these steps:

rlogin 1. Open the /etc/xinet,d/rlogin file.

2. Add nice = 5 at the end of the rlogin configuration.
3. Restart xinetd services:

service xinetd restart

Problem: On Oracle Linux 6.8, rlogin does not work.
Solution: Downgrade to the following rpms:
rlogin util-linux-ng-2.17.2-12.18.el6.x86_64.rpm
libblkid-2.17.2-12.18.el6.x86_64.rpm
libuuid-2.17.2-12.18.el6.x86_64.rpm
Problem: If the first attempt to process an rlogin request fails, the session is handed off to the
login daemon.
rlogin
Solution: If you configure Linux to use rlogin, you must configure the remote login file in
/etc/pam.d.
Problem: Rlogin prompts for a password instead of a passcode, when ambiguous entries are
present in /etc/hosts file.
rlogin Solution: If a machine name exists next to the loopback IP address and actual machine address,
then remove the machine name next to the loopback IP address; rlogin will then behave as
expected.
Problem: When a user tries to access the system using rlogin tool and enters wrong credentials,
the system redirects the authentication process to the telnet tool, and the system may prompt for
rlogin password or passcode as per the telnet configuration.
Solution: When rlogin is protected with SecurID, telnet must also be protected with SecurID and
vice versa.

Upgrade and Uninstall Issues

Problem: If you try to upgrade or uninstall the PAM agent without disabling the RSA PAM module, you may
receive the error message: ‘pam_securid.so is busy, not able to remove/replace’.
Solution: To resolve this issue, you must log on with tools other than ssh and remove pam_securid.so.

42 Appendix A: Troubleshooting
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Authentication Utilities for UDP Mode

Authentication utilities are located in the following directories:

l 32-bit operating system: pam agent installation directory/bin/32bit

l 64-bit operating system: pam agent installation directory/bin/64bit

Use these utilities to:

l Perform a test authentication. For more information, see Run the acetest Utility below.
l Verify communication between the PAM agent and Authentication Manager. For more information, see
Run the acestatus Utility below

You can enable logging for these utilities. For more information, see Enable SecurID Trace Logging for UDP Mode
on page 30

Run the acetest Utility

This utility checks that the agent is functioning properly by performing a test authentication.

Procedure
1. Change to the PAM agent authentication utilities directory:
l 32-bit operating system: pam agent installation directory/bin/32bit
l 64-bit operating system: pam agent installation directory/bin/64bit

2. Type:

./acetest

3. Enter a valid user name and passcode.

If you are repeatedly denied access, test the connectivity to the Authentication Manager server with the Run the
acestatus Utility below utility or contact your Authentication Manager administrator.

Run the acestatus Utility

This utility checks the status of each Authentication Manager where the PAM agent is registered as an agent
host. If you have questions concerning the displayed information, contact your Authentication Manager
administrator.

Procedure
1. Change to the PAM agent utilities directory.
2. Type:

./acestatus

The following table lists the information displayed in the Authentication Manager section.

Returned Information Description

Version of the sdconf.rec file that is in use. For Authentication Manager 8.0 or later,
Configuration Version
this number is 14.
DES Enabled If your configuration environment supports legacy protocols, YES is displayed.

Appendix A: Troubleshooting 43
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Returned Information Description

Number of times the PAM agent sends authentication data to Authentication Manager
Client Retries
before a timeout occurs.
Time (in seconds) that the PAM agent waits before resending authentication data to
Client Timeout
Authentication Manager.
Server Release Version number of Authentication Manager.
Communication Protocol version used by Authentication Manager and the PAM agent.

The following table lists the status information displayed in the Authentication Manager section.

Status Information Description

The IP address that the PAM agent uses to communicate with the server. This address
could be the actual IP address of the server you have selected, or it could be an alias IP
Server Active Address
address assigned to the server. An IP address of 0.0.0.0 indicates that the agent has
not yet received communication from the server.

The following table lists the server status information displayed in the Authentication Manager section.

Server Status Description

Available for
This server is available to handle authentication requests.
Authentications
Unused The server has not yet received an authentication request.
For Failover only The server is reserved for failover use only.
Default Server During
Only this server is available to handle requests at this time.
initial requests

Conversion Utility for UDP Mode

The conversion utility is used when a UDP-based PAM agent co-exists with other SecurID agents.

The conversion utility ns_conv_util is located in the following directories:

l 32-bit operating system: pam agent home/bin/32bit

l 64-bit operating system: pam agent home/bin/64bit

Procedure
1. Change to the PAM agent utilities directory.
2. Type:

./ns_conv_util <Existing_Securid_file_path> <New_Securid_dir_path>

where <Existing_Securid_file_path> is the path where the current SecurID file exists,

and <New_Securid_dir_path> is the directory where the newly generated SecurID file should be stored.

For example:

./ns_conv_util /var/ace/securid /var/ace_pam/

44 Appendix A: Troubleshooting
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

3. If the new destination location is not the same as the location specified by VAR_ACE, copy the new
SecurID file to this location.

Node Secrets for UDP Mode

The node secret is a symmetric encryption key that Authentication Manager and the PAM agent use to encrypt
and decrypt packets of data as they travel across the network. Node secrets are required for agents that use the
UDP protocol. The shared node secret is stored in both the Authentication Manager database and in a file on the
machine where the PAM agent is installed. For agents that use the REST protocol, a node secret file is not used.
Instead of a node secret, a dynamically negotiated key is used to encrypt the channel along with a strong
encryption algorithm.

For UDP-based agents, if the node secret is missing on either the Authentication Manager server or the machine
where the PAM agent is installed, clear the node secret in the other location. If the node secret files on the
Authentication Manager and the PAM agent machine do not match, clear the node secret in both locations. After
you clear the node secret, you must generate a new node secret.

Clear the Node Secret From SecurID Authentication Agent 8.1 for PAM
If the node secret does not match on the SecurID Authentication Agent 8.1 for PAM and the machine where the
PAM agent is installed, or if the node secret is missing from the PAM agent machine, you must clear the node
secret from Authentication Manager. For example, if you reinstall the PAM agent, the node secret is missing from
the PAM agent machine.

Procedure
1. In the Authentication Manager Security Console, click Access > Authentication Agents > Manage
Existing.
2. Locate the affected agent machine and select Manage Node Secret from the drop-down menu.
3. Select the Clear the node secret checkbox, and then click Save.

After you finish

l If there is a node secret on the PAM agent machine, see Clear the Node Secret on the PAM Agent Machine
below.
l If the PAM agent machine does not have a node secret, follow the procedure Generate a New Node
Secret on the next page.

Clear the Node Secret on the PAM Agent Machine

If the node secret does not match on the Authentication Manager instance and the PAM agent machine, or if the
node secret is missing from the Authentication Manager, you must clear the node secret from the PAM agent
machine. For example, if you install a new Authentication Manager instance and add an existing PAM agent, the
node secret is missing from Authentication Manager.

Before you begin

If there is a node secret on the Authentication Manager, see Clear the Node Secret From SecurID Authentication
Agent 8.1 for PAM above.

Appendix A: Troubleshooting 45
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Procedure
1. Log on to the machine on which the PAM agent is installed and locate the node secret file, securid, in the
/var/ace directory.
2. Rename or delete the node secret file.
3. The node secret is also stored in the server cache. Restart the machine to clear the node secret from the
cache.

After you finish

Generate a New Node Secret below

Generate a New Node Secret

Procedure
1. Run the acetest utility from the PAM agent machine to generate the node secret file. For more
information, see Authentication Utilities for UDP Mode on page 43.
2. Check your authentication logs and ensure a new node secret has been sent.
3. Restart your PAM agent machine so that the agent can read the node secret file.

Logging for the PAM Agent

If logging is enabled, by default, PAM agent authentication messages are recorded in the system log. For tracing
purposes, you can configure your system log to record PAM agent authentication log messages for specific tools.
See Enable Debug Output on page 30.

Configure the System Log

The following procedure sends all authentication messages to the system log.

Procedure
1. Change to the /etc/ directory.
2. Open the syslog.conf file.
3. Add auth.notice parameter to the line that specifies your system log file.
4. Remove the authpriv.none parameter, if it is specified for the system log file.
5. If you are using telnet or login, add authpriv.notice parameter to the line that specifies the system log file.
6. Save your changes.
7. Restart the syslog daemon.

PAM Agent Authentication Log Messages

The following table lists the authentication log messages.

Message Description
Cannot locate
The configuration file sd_pam.conf is not in the /etc directory; /etc must contain the
sd_pam.conf
correct configuration file so that the VAR_ACE can be set properly.
file
AceInitialize AceInitialize is an API function call that initializes worker threads, and loads configuration
failed settings from sdconf.rec. Verify that you have the latest copy of sdconf.rec from your

46 Appendix A: Troubleshooting
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Message Description
Authentication Manager administrator and that the VAR_ACE is set properly.
Cannot
communicate Either the Authentication Manager brokers are not started, or there has been a network
with RSA failure. Contact your Authentication Manager administrator or your network administrator.
ACE/Server
Reserve
password
The maximum character limit is 256 characters.
exceeds
character limit
Invalid reserve The reserve password is the same as the system password for the host. You must know this
password password if Authentication Manager is unable to process authentication requests.
User name
exceeds The user name must not exceed 31 characters.
character limit
Reserve
password not
Verify that you are a root user. Only root users can use the reserve password.
allowed. User is
not root.

Logging for REST Mode

The REST mode supports additional logging implemented with the log4cxx library. Logging for the REST layer is
separate from the PAM agent logs. RollingFileAppender and SyslogAppender are supported. By default,
RollingFileAppender is enabled. Logs go to /var/ace/log/mfa_rest.log with the log level set to INFO. Size-
based rotation is enabled with a rotation size of 10 MB.

Time-based log rotation is not supported. Supported tools, such as ssh and su, load the authentication agent for
every request, and so the PAM agent cannot rotate the logs based upon time. The PAM agent supports size-
based log rotation.

You can change the default log settings for REST mode.

Procedure
1. Change to the /var/ace/conf directory.
2. Open the log.properties file.
3. Configure the following entries for size-based rotation:

log4j.rootLogger=INFO, RestLogger

log4j.appender.RestLogger=org.apache.log4j.RollingFileAppender

log4j.appender.RestLogger.File=/var/ace/log/mfa_rest.log

log4j.appender.RestLogger.MaxFileSize=10MB

log4j.appender.RestLogger.MaxBackupIndex=10

log4j.appender.RestLogger.layout=org.apache.log4j.PatternLayout

Appendix A: Troubleshooting 47
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

log4j.appender.RestLogger.layout.ConversionPattern=%d [%t] %-5p

(%F:%L) - %m%n

log4j.appender.RestLogger.Append=true

log4j.appender.RestLogger.ImmediateFlush=true

4. Configure the following entries to support local and remote logging to the syslog:

log4j.rootLogger=INFO,Syslog

log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender

log4j.appender.Syslog.syslogHost=localhost

log4j.appender.Syslog.Facility=DAEMON

log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout

log4j.appender.Syslog.layout.ConversionPattern=%d{yyyy-MM-dd
HH:mm:ss:SSS}%p [%c] %m%n

5. Save your changes.

6. Restart the syslog daemon.

Troubleshooting SELinux

SELinux (Security-Enhanced Linux) sometimes requires additional procedures as specified below.

Using the REST protocol on an Upgraded Agent

To use the REST protocol for authentication, you must overwrite the existing SELinux policy when you upgrade
the PAM agent. Otherwise, some tools are unable to authenticate with the REST protocol.

To update the SELinux policy, you can run the install script again and overwrite the existing policy. Files that
were already upgraded are not affected.

Enable Custom Path Settings

When SELinux is enabled, custom path settings for VAR_ACE and RSATRACEDEST do not work by default.

Procedure
To enable custom path settings, you must enter the following commands, where <custom_directory_path> is the
file path of the custom VAR_ACE directory or RSATRACEDEST directory you want to use:

semanage fcontext -a -t var_t <custom_directory_path>

restorecon -R <custom_directory_path>

48 Appendix A: Troubleshooting
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Configure Timeout and Retry Values for REST Authentication

You can configure how long the PAM agent can take to connect to Authentication Manager or the Cloud
Authentication Service, and how long the PAM agent waits for a response. You can also configure the number of
times that the PAM agent tries to contact an Authentication Manager primary or replica instance or the Cloud
Authentication Service. These parameters are only used by the REST protocol.

Make sure to account for the speed of your network. Setting high timeout values on a slower network allows
authentication to succeed.

Before you begin

You must have root permissions on the machine on which the agent is installed and write permission to the
directory in which the mfa_api.properties file is stored. By default, this file is stored in /var/ace/conf.

Procedure
1. Change to the directory where mfa_api.properties is located. By default, the directory is
/var/ace/conf.
2. Open mfa_api.properties.
3. You can change the following parameters:
l CONNECT_TIMEOUT. The maximum number of seconds allowed for the agent to connect to the
server. The default is 60 seconds.
l READ_TIMEOUT. The maximum number of seconds allowed to connect to the server and read the
response. The READ_TIMEOUT value must equal the sum of the CONNECT_TIMEOUT value and
the maximum time allowed for reading the response. The default is 120 seconds.
l MAX_RETRIES. The number of times that the PAM agent tries to connect to Authentication
Manager or the Cloud Authentication Service. The default value is 3.
l For the Authentication Manager REST interface Initialize phase, when the PAM agent starts an
authentication attempt, the MAX_RETRIES is the number of times that the agent tries to contact
the same server before failover to another server. During the Verification phase, when the
PAM agent is providing authentication credentials, failover is not supported, and the MAX_
RETRIES is the number of times that the agent tries to contact the same server before
authentication fails.
l The Cloud Authentication Service does not support failover. For both the Initialize and Verify
phases, the MAX_RETRIES is the number of times that the agent tries to contact the same server
before authentication fails.

4. Save the file.

Uninstall the RSA Authentication Agent 8.1 for PAM

You can either manually uninstall the PAM agent on individual machines, or you can choose to silently and
automatically uninstall multiple copies of the PAM agent.

Uninstalling the RSA Authentication Agent 8.1 for PAM removes the configured SELINUX labels for REST libraries
that were created during the PAM agent installation.

Appendix A: Troubleshooting 49
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Before you begin

l Configure the RSA SecurID protected tools to use the standard PAM module provided with your operating
system, and not the RSA PAM module. Any active sessions using the RSA PAM modules must be closed
before you proceed with the uninstall. You must undo the procedures that you followed in Configuring
Tools on page 25.

Note: If you uninstall the RSA module while there are references to the RSA module in /etc/pam.d
directory, you will be locked out of your system.

l Verify that you have root permissions on the host.

Uninstall the PAM Agent from One Machine

Perform this task to uninstall one PAM agent.

Procedure
1. Change to the PAM agent home directory. For example, /opt/pam.
2. Run the uninstall script. Type:

./uninstall_pam.sh

3. Verify that the installation directory has been removed. If the directory still exists, you must remove it
manually.

4. To verify that the PAM agent was successfully removed, check the /var/pam_
uninstaller/uninstaller.log file.

Bulk Uninstall the PAM Agent in Silent Mode

Perform this task to uninstall a large number of PAM agents.

Procedure
1. Create a text-based configuration file with the name unconfig. The file must contain the following
information:

y
y
y

Each y is a response to a prompt:

l Are you sure that you would like to uninstall the RSA Authentication Agent 8.1.0 [101] for PAM?
l The RSA Authentication Agent for PAM will be deleted from the <install_path> directory. Ok?
l If you uninstall the RSA module while there are references to the RSA module in the PAM
configuration file ( file pam.conf or inside the directory pam.d), you will be locked out of your
system. Proceed with uninstall? Ok?

2. Change to the PAM agent home directory. For example, /opt/pam.

3. Run the uninstall script. Type:

./uninstall_pam.sh < unconfig

50 Appendix A: Troubleshooting
®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Appendix B: Critical Configuration Files

Critical Configuration Files 52

Appendix B: Critical Configuration Files 51

®
RSA Authentication Agent 8.1 for PAM Installation and Configuration Guide for Oracle and RHEL

Critical Configuration Files

The default PAM agent installation directory is /opt/pam, and this can be changed during installation. By
default, the /var/ace directory includes REST-related libraries and files. This directory location cannot be
changed.

In addition to the binaries (pam_securid.so, acetest, acestatus, and ns_conv_util), the PAM agent
maintains the critical configuration files listed in the following table.

Note: As with all applications, you, the administrator, may need to modify the default file permissions when
non-privileged users access the PAM agent.

File Description
PAM agent logging configuration file for the REST protocol. PAM agent uses the library
log.properties
log4cxx for REST-mode logging.
mfa_ Contains the settings used by the REST protocol for authentication to Authentication Manager
api.properties and the Cloud Authentication Service.
This file is generated by Authentication Manager, and contains configuration information that
sdconf.rec controls the behavior of the PAM agent. This file permission should be -rw------- root root.

This file is only used in UDP mode.

This file is used for manual load balancing. It contains a list of IP addresses for Authentication
sdopts.rec Manager instances. This file permission should be -rw------- root root.

This file is only used in UDP mode.

This file is generated by the PAM agent authentication API to track the last known status of the
sdstatus.12
Authentication Manager servers. This file permission should be -rw------- root root.
Contains configuration settings that control behavior of the PAM agent. This file permission
sd_pam.conf
should be -rw-r--r-- root root.
This file contains a shared secret key used to protect the UDP protocol communication between
the local machine and Authentication Manager. The name of this file is derived from the local
system's configured protocol name for the port over which the agent communicates with
securid Authentication Manager, usually through the "services" file. This file permission should be -r---
----- root root. However, it also depends on the OS Umask setting.

The UDP protocol requires this file. This file optional for authentication with the REST protocol.

52 Appendix B: Critical Configuration Files

PTC88C Command Manual
50% (4)
PTC88C Command Manual
286 pages
Authentication Plug-In DeveloperGuide
No ratings yet
Authentication Plug-In DeveloperGuide
50 pages
SUSE Linux Enterprise Server Security Guide
No ratings yet
SUSE Linux Enterprise Server Security Guide
472 pages
Correct Answer: 10: 1. The Default Value of "Target Scope" For Static Route Is
100% (1)
Correct Answer: 10: 1. The Default Value of "Target Scope" For Static Route Is
4 pages
System 6000 Rfid Encoder pk3695 PDF
No ratings yet
System 6000 Rfid Encoder pk3695 PDF
7 pages
RSA Authentication Agent 8.0 For PAM Installation and Configuration Guide For Oracle and RHEL
No ratings yet
RSA Authentication Agent 8.0 For PAM Installation and Configuration Guide For Oracle and RHEL
54 pages
PAMAgent Solaris
No ratings yet
PAMAgent Solaris
50 pages
RSA Authentication Agent 7.1 For PAM-Installation and Configuration Guide For RHEL
No ratings yet
RSA Authentication Agent 7.1 For PAM-Installation and Configuration Guide For RHEL
23 pages
Rsa Authentication Manager 8.2 SP1 Setup Config Guide
No ratings yet
Rsa Authentication Manager 8.2 SP1 Setup Config Guide
126 pages
Rsa Authentication Manager 8.4 Administrators Guide
No ratings yet
Rsa Authentication Manager 8.4 Administrators Guide
202 pages
WebAgent IIS PDF
No ratings yet
WebAgent IIS PDF
148 pages
Rsa Authentication Manager 8.5 Setup Config Guide
No ratings yet
Rsa Authentication Manager 8.5 Setup Config Guide
120 pages
Auth Agent API C Dev Guide PDF
No ratings yet
Auth Agent API C Dev Guide PDF
208 pages
RSA Authentication Agent 8.0 For Web For IIS 7.5, 8.0, 8.5, and 10 Installation and Configuration Guide
No ratings yet
RSA Authentication Agent 8.0 For Web For IIS 7.5, 8.0, 8.5, and 10 Installation and Configuration Guide
148 pages
Rsa Securid Access Rsa Securid Authentication API Developers Guide
No ratings yet
Rsa Securid Access Rsa Securid Authentication API Developers Guide
43 pages
Auth Agent Install Admin Guide
No ratings yet
Auth Agent Install Admin Guide
95 pages
IGL 7.2 Administrators Guide
No ratings yet
IGL 7.2 Administrators Guide
295 pages
rsa_authentication_manager_8.8_setup_config_guide
No ratings yet
rsa_authentication_manager_8.8_setup_config_guide
116 pages
Installation UpgradeGuide
No ratings yet
Installation UpgradeGuide
168 pages
RSA Authentication Agent Supported Platforms
No ratings yet
RSA Authentication Agent Supported Platforms
4 pages
Hardening
No ratings yet
Hardening
509 pages
Book Security
No ratings yet
Book Security
440 pages
IGL 7.0.2 Installation Guide
No ratings yet
IGL 7.0.2 Installation Guide
216 pages
IGL 7.2.1 Installation Guide
No ratings yet
IGL 7.2.1 Installation Guide
205 pages
IGL 7.1 Installation Guide
No ratings yet
IGL 7.1 Installation Guide
243 pages
WebAgent IIS
No ratings yet
WebAgent IIS
60 pages
Li Rhel 8 Security Technology Brief f17208 201905 en
No ratings yet
Li Rhel 8 Security Technology Brief f17208 201905 en
2 pages
Red Hat Enterprise Linux 6 Security Guide en US
No ratings yet
Red Hat Enterprise Linux 6 Security Guide en US
227 pages
Red Hat Enterprise Linux 6 Security Guide en US
No ratings yet
Red Hat Enterprise Linux 6 Security Guide en US
224 pages
Red Hat Linux Security Guide
No ratings yet
Red Hat Linux Security Guide
106 pages
Red Hat Linux Security Guide
No ratings yet
Red Hat Linux Security Guide
106 pages
Book - Security Color en
No ratings yet
Book - Security Color en
415 pages
Secure Remote Services 3.38 Intallation Guide
No ratings yet
Secure Remote Services 3.38 Intallation Guide
78 pages
The Official Red Hat Linux Security Guide
No ratings yet
The Official Red Hat Linux Security Guide
112 pages
Am Migration Guide 7.1 New Appliance
No ratings yet
Am Migration Guide 7.1 New Appliance
202 pages
Guia de Segurança Opensuse
No ratings yet
Guia de Segurança Opensuse
416 pages
Oracle: Rsa Securid Ready Implementation Guide
No ratings yet
Oracle: Rsa Securid Ready Implementation Guide
12 pages
Book-Security Color en PDF
No ratings yet
Book-Security Color en PDF
401 pages
SecurID ADM PDF
No ratings yet
SecurID ADM PDF
314 pages
Security Guide
100% (2)
Security Guide
134 pages
Secure Remote Services Installation Guide PDF
No ratings yet
Secure Remote Services Installation Guide PDF
70 pages
DellEMC Unity Condor TTT XT Serviceability
No ratings yet
DellEMC Unity Condor TTT XT Serviceability
100 pages
SuSE Linux Enterprise Server Security Guide 11 SP4
No ratings yet
SuSE Linux Enterprise Server Security Guide 11 SP4
488 pages
RSA Authentication Manager 8.5 Brazil Only Hardware Appliance Installation Guide
No ratings yet
RSA Authentication Manager 8.5 Brazil Only Hardware Appliance Installation Guide
2 pages
RSA Authentication Manager Upgrade Path
No ratings yet
RSA Authentication Manager Upgrade Path
6 pages
Book Security PDF
No ratings yet
Book Security PDF
488 pages
AC Admin UX ENU
0% (1)
AC Admin UX ENU
287 pages
Secure Remote Access With The Solaris™ 9 Operating Environment
No ratings yet
Secure Remote Access With The Solaris™ 9 Operating Environment
22 pages
RSA Authentication Manager 8.2 Troubleshooting Guide
No ratings yet
RSA Authentication Manager 8.2 Troubleshooting Guide
176 pages
SPP_7.0.5 LTS_AdministrationGuide
No ratings yet
SPP_7.0.5 LTS_AdministrationGuide
660 pages
Token Converter310 Admin
No ratings yet
Token Converter310 Admin
26 pages
Red Hat Enterprise Linux 6 Security Guide en US
No ratings yet
Red Hat Enterprise Linux 6 Security Guide en US
189 pages
RSA SecurID Access RSA SecurID Authentication API Developer's Guide
No ratings yet
RSA SecurID Access RSA SecurID Authentication API Developer's Guide
42 pages
SSH Insecure HMAC Algorithms Enabled and SSH CBC Mode Ciphers Enabled Security Vulnerabilities Come Up Against Authentication Manager 8.x
No ratings yet
SSH Insecure HMAC Algorithms Enabled and SSH CBC Mode Ciphers Enabled Security Vulnerabilities Come Up Against Authentication Manager 8.x
3 pages
Rsa Securid Access Cloud Authentication Service Quick Setup Radius Clients PDF
No ratings yet
Rsa Securid Access Cloud Authentication Service Quick Setup Radius Clients PDF
16 pages
Plesk 10 Pci Compliance Guide
No ratings yet
Plesk 10 Pci Compliance Guide
10 pages
Learning VMware vRealize Automation: Learn the fundamentals of vRealize Automation to accelerate the delivery of your IT services
From Everand
Learning VMware vRealize Automation: Learn the fundamentals of vRealize Automation to accelerate the delivery of your IT services
Sriram Rajendran
No ratings yet
Learning Nagios - Third Edition
From Everand
Learning Nagios - Third Edition
Wojciech Kocjan
No ratings yet
Mastering Go Network Automation
From Everand
Mastering Go Network Automation
Ian Taylor
No ratings yet
Mastering Go Network Automation: Automating Networks, Container Orchestration, Kubernetes with Puppet, Vegeta and Apache JMeter
From Everand
Mastering Go Network Automation: Automating Networks, Container Orchestration, Kubernetes with Puppet, Vegeta and Apache JMeter
Ian Taylor
No ratings yet
Mastering Zabbix - Second Edition
From Everand
Mastering Zabbix - Second Edition
Vacche Andrea Dalle
No ratings yet
MariaDB High Performance
From Everand
MariaDB High Performance
Pierre MAVRO
No ratings yet
VMware vRealize Orchestrator Essentials: Get hands-on experience with vRealize Orchestrator and automate your VMware environment
From Everand
VMware vRealize Orchestrator Essentials: Get hands-on experience with vRealize Orchestrator and automate your VMware environment
Daniel Langenhan
No ratings yet
Veritas Saas Backup for O365 Presentation
No ratings yet
Veritas Saas Backup for O365 Presentation
12 pages
V1.0.3 Windows Server and SQL Server Migration to Microsoft Azure Advanced Specialization Audit Checklist
No ratings yet
V1.0.3 Windows Server and SQL Server Migration to Microsoft Azure Advanced Specialization Audit Checklist
25 pages
V 2.0 Windows Server and SQL Server Migration Audit Checklist (3)
No ratings yet
V 2.0 Windows Server and SQL Server Migration Audit Checklist (3)
26 pages
V2.0 Microsoft Windows Virtual Desktop Advanced Specialization
No ratings yet
V2.0 Microsoft Windows Virtual Desktop Advanced Specialization
26 pages
Veritas SaaS Backup
No ratings yet
Veritas SaaS Backup
2 pages
FHM Philippines February 2014
No ratings yet
FHM Philippines February 2014
132 pages
Information Security Policy Guidelines for 3rd Party v1.0
No ratings yet
Information Security Policy Guidelines for 3rd Party v1.0
6 pages
MPLS VPNL3
No ratings yet
MPLS VPNL3
14 pages
CBL Lookup Utility: at The Time of Removal, This Was The Explanation For This Listing
No ratings yet
CBL Lookup Utility: at The Time of Removal, This Was The Explanation For This Listing
5 pages
Airpcap User Guide
No ratings yet
Airpcap User Guide
26 pages
(Ebook) Networking: A Beginner's Guide by Bruce Hallberg ISBN 9780072132311, 9780072194548, 0072132310, 0072194545 instant download
No ratings yet
(Ebook) Networking: A Beginner's Guide by Bruce Hallberg ISBN 9780072132311, 9780072194548, 0072132310, 0072194545 instant download
55 pages
W5500 Ethernet Shield - WIZnet Co., LTD
No ratings yet
W5500 Ethernet Shield - WIZnet Co., LTD
2 pages
Datasheet: Integrated Gigabit Ethernet Controller For Pci Express™ Applications
No ratings yet
Datasheet: Integrated Gigabit Ethernet Controller For Pci Express™ Applications
29 pages
Basic Internet MCQs
No ratings yet
Basic Internet MCQs
2 pages
AOS-CX Simulator Lab - PIM-SM Troubleshooting Lab Guide
No ratings yet
AOS-CX Simulator Lab - PIM-SM Troubleshooting Lab Guide
13 pages
Network Planning and Design. Network Planning and Design Is An Iterative Process
No ratings yet
Network Planning and Design. Network Planning and Design Is An Iterative Process
3 pages
Vlan To Cgnet Cisco Aci To Palo Alto Networks
No ratings yet
Vlan To Cgnet Cisco Aci To Palo Alto Networks
7 pages
Trắc nghiệm CCNA - Chương 5 Dynamic routing
No ratings yet
Trắc nghiệm CCNA - Chương 5 Dynamic routing
13 pages
Scenario: Replacing Two Omua or Omub Boards With Two Omuc Boards
No ratings yet
Scenario: Replacing Two Omua or Omub Boards With Two Omuc Boards
6 pages
Networking Keywords Crossword
No ratings yet
Networking Keywords Crossword
1 page
BAM Administration Guide 4.1.1
No ratings yet
BAM Administration Guide 4.1.1
940 pages
MSEI-27
No ratings yet
MSEI-27
4 pages
Chapter Reseau
No ratings yet
Chapter Reseau
26 pages
B Cisco Nexus 9000 Series NX Os System Management Configuration Guide 93x - Chapter - 010100
No ratings yet
B Cisco Nexus 9000 Series NX Os System Management Configuration Guide 93x - Chapter - 010100
12 pages
M. C. A. (Sem. V) Examination P-502: Advance Networking
No ratings yet
M. C. A. (Sem. V) Examination P-502: Advance Networking
7 pages
Fortigate VDOM
No ratings yet
Fortigate VDOM
120 pages
MPLS
No ratings yet
MPLS
147 pages
CH 3 Datalink
No ratings yet
CH 3 Datalink
35 pages
Router On Stick Is A Method Used For Communicating Inter-VLAN's Using A Router
No ratings yet
Router On Stick Is A Method Used For Communicating Inter-VLAN's Using A Router
2 pages
Cloud Computing - Lab 3
No ratings yet
Cloud Computing - Lab 3
2 pages
Top CCNA Questions
No ratings yet
Top CCNA Questions
31 pages
ACN
No ratings yet
ACN
20 pages
Ravindra P
No ratings yet
Ravindra P
3 pages
Subnetting-SBIT1G - April 25
No ratings yet
Subnetting-SBIT1G - April 25
3 pages