Skip to main content
Skip table of contents

RSA SecureID Implementation via RSA API

Abstract

VISULOX login with AD user and AD password extended by an RSA token can be implemented. This can be done either with the VISULOX external MFA service or with VISULOX login Validation.

The VISULOX project script rsaSecureId.tcl, provided for customers on request, allows to verify username and token.

The VISULOX login user (VLXLOGINUSER) has to be the same as in AD and the RSA server (extra mapping is possible on project request).

The current implemenation just verifies the user and the RSA token. The "CHALLENGE" is currently not implemented and the user needs the RSA selfservice. (The "CHALLENGE" can be implemented on project request.)


The RSA validation can be implemented as a VISULOX external MFA Policy or as a VISULOX Validation to any Login Policy. It requires a VISULOX 2FA license.

Background

RSA provides an API to verify a user and his current token. A description can be found here:

https://community.rsa.com/t5/securid-access-knowledge-base/how-to-set-up-the-rest-rsa-securid-authentication-api-for/ta-p/4960


The implemented API method is initialized (with SecureID) with user authentication and token in one request.

An API request needs an URL and a client-key. This information is stored in a VISULOX resource.


For example:

Create a VISULOX RSA SECUREID resource with an URL and a client key

CODE 
visulox passcache edit -resource mokeid \
    -resuser "https://a06136c9-cbe2-44dc-8049-fd95c4236cdb.mock.pstmn.io" \
    -respass "dummy-85o8xe8534r7g484581wi225c1h4o"

Command

CODE 
rsaSecureId.tcl -resource <name of resource> -username VLXLOGINUSER -token <current token> -id <message>

Live system

CODE 
su vlx -c "/opt/visulox/lib/utils/rsaSecureId.tcl -resource rsasecureid -user <user> -token <token>"

Additional options:

CODE 
-id for messageid
-verbose to see response data
-debug : debugging data into logs/rsasecurid.log

VISULOX policy implementation


VISULOX external MFA Login Policy

CODE 
#!/bin/bash
export BASE=$( cd "$(dirname "${BASH_SOURCE[0]}" )" && pwd )

# Implement RSA validation via VISULOX external MFA

VLX_HOME=${VLX_HOME:-/opt/visulox}

VLX_CMD=$VLX_HOME/bin/visulox

$VLX_CMD admin action add -name rsaPIN \
    -category pin \
    -scriptfile $BASE/script_rsaSecureId_pin.sh \
    -force

$VLX_CMD policy login delete -name rsa\*  -force

$VLX_CMD policy login add -name rsaLoginPIN \
    -mode external -pinscript rsaPIN -force

$VLX_CMD config reset -name extendsession.login.entry1
$VLX_CMD config -name otp.always=true
$VLX_CMD config -name otp.label="RSA TOKEN"

echo "Copy rsaSecureId  in place "
cp $BASE/rsaSecureId.tcl  $VLX_HOME/lib/utils

echo "Register VISULOX at PORTAL"

Action script for external MFA confirmation:

script_rsaSecureId_pin.sh

CODE 
#!/bin/bash
export BASE=$( cd "$(dirname "${BASH_SOURCE[0]}" )" && pwd )

#$VLXPATH/bin/cmd/config.tcl env > /tmp/vlxVar.data
#TESTING=test

result=$($VLXUTIL/rsaSecureId.tcl $TESTING -resource rsasecureid -user "$VLXLOGINUSER" -token "$VLXPIN" 2>&1 | cut -d : -f 2-)
[[ -z "$result" ]] && echo "ok" || echo "failed:$result"
exit 0  




JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close