Two Factor Authentication for vSphere – RSA SecurID – Part 2

Introduction

In Part 1 of Two Factor Authentication for vSphere – RSA SecurID, we configured RSA Authentication Manager to get it ready for adding the PSC as an Authentication Manager agent. In this post, we’ll configure the Platform Services Controller (PSC) itself by uploading the sdconf.rec file and running the appropriate CLI commands to enable RSA SecurID. We’ll also talk about other authentication options you can enable or disable as you see fit.

Configure Platform Services Controller

To set the stage right, a quick review on the role of the PSC .vs. “vCenter the application”. The PSC provides authentication services. vCenter provides authorization services. A user gets authenticated by PSC (SSO). This is why SecurID and Smart Card bits are handled by the PSC and not vCenter specifically. After authentication occurs, vCenter matches that credential with the permissions assigned to it. That’s authorization.

Picking up where we left off in Part 1, we’ll now work on configuring the PSC for SecurID.

Uploading sdconf.rec

You need to upload the sdconf.rec file to the PSC to start the configuration of the Authentication Manager agent. In my example, I’ll be using WinSCP to upload. In order for that to work, you need to change the shell from /bin/appliancesh to /bin/bash.

Using the instructions outlines in KB2107727 you’ll change the shell.
SSH into the PSC

  1. Run this command to enable the Bash shell: shell.set –enable True
  2. Run this command to access the Bash shell: shell
  3. In the Bash shell, run this command to change the default shell to Bash: chsh -s /bin/bash root
  4. Use WinSCP to upload the sdconf.rec files to the PSC. I uploaded to /root/sdconf.rec
  5. To return to the Appliance Shell, run this command: chsh -s /bin/appliancesh root

With the sconf.rec file on the PSC, it’s time to run some CLI commands to enable SecurID.

Enabling SecurID via CLI commands

The following is called out in the vSphere documentation. The script we’ll run is sso-config.sh and it has a number of options. The options we are most interested in at the moment are:

  • The Tenant Name: If you installed SSO with a default domain of vsphere.local, then use this as the “Tenant Name”.
    • The option is -t <tenant name>
  • The Authentication Manager Authentication Agent name: As you recall from Part 1, this is the name you gave the Authentication Agent when you configured it. I used the FQDN of mgt-psc-01.demo.vmware.com.
    • The option is -agentName <agent name>
  • Configuration Filename: The location of the sdconf.rec file you uploaded to the PSC. I used /root/sdconf.rec
    • The option is -sdConfFile <filename>
  • Site-Specific Configuration: This option “sets” the site-specific configuration.
    • The option is -set_RSA_site

While still logged in to the PSC, change directory to /opt/vmware/bin so we can run the sso-config.sh script:

  • cd /opt/vmware/bin/

First we’ll enable the SecurID Authentication Policy:

  • ./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true

Next, we’ll configure the agent software in SSO with the sdconf.rec file. There are a couple of things to set.

Here’s the command I ran:
./sso-config.sh -set_rsa_site -t vsphere.local -agentName mgt-psc-01.demo.vmware.com -sdConfFile /root/sdconf.rec

You can confirm all the settings by dumping the RSA Configuration of SSO. The option is -get_RSA_config. Note that you need to provide the tenant/domain name as well.

./sso-config.sh -t vsphere.local -get_rsa_config

Here’s what I got for my RSA Config:
logonGuide: Passcode for soft token users:
Enter only the generated token code from app

Passcode for hard token users:
Enter pin + generated token code
logLevel: INFO
logFileSize: 1
maxLogFileCount: 10
connTimeOut: 60
readTimeOut: 60
encAlgList: [AES/32, AES/16, AES/24]
idsUserIDAttributeMaps: UndefinedConfig
Sites [
[siteID: d947f927-3970-4b10-b0a5-3a3dcc4e2b3a
agentName: mgt-psc-01.demo.vmware.com
sdConfFile: Binary value
sdOptsFile: Not set
]

At this stage you should be ready to log in via SecurID! Give it a try! When you first log in Authentication Manager will create and populate the Agent with a Node Secret. This is a unique shared secret between Authentication Manager  and each Agent. Authentication agents use the node secret to encrypt authentication requests that they send to Authentication Manager. Authentication Manager uses the node secret to verify the identity of IPv4/IPv6 authentication agents.

Here’s a quick demo on how the user experience looks like. In the example I’m using a Windows-based soft token assigned to administrator@demo.vmware.com. This user is in Active Directory. Note how the UI changes based on what authentication option I choose.

 

Managing Authentication Options

Using the sso-config.sh script you can configure how you want to do authentication. Username/Password, SecurID, Smartcard, etc.. However, you cannot do this on a per-identity store basis. For example, you can’t configure vsphere.local to be Username/Password and Active Directory to be SecurID.

You can, however, configure the vCenter login page (hosted by the PSC) to present those different login options by running the sso-config.sh script.

For example, if I want to allow username/password and SecurID but not offer Integrated Windows Authentication and Smart Card Authentication, I’d run the following:

/opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn true -t vsphere.local

Here are the options available:

  • -pwdAuthn = Username/Password
  • -winAuthn = Integrated Windows Authentication
  • -certAuthn = Smart Card Authentication
  • -securIDAuthn = SecurID Authentication

You can run this command and set your options accordingly. Refresh the Web Client login page and you’ll see options come and go accordingly. For example, if you set -winAuthn to false then you wouldn’t see the “Use Windows session authentication” option.

What about PowerCLI, Python and other API access?

SecurID is only for the Web Client. Even if you force everyone to use SecurID, you can still connect via PowerCLI (and the API’s and the C# client) using Username and Password. Personally, I don’t think it would be helpful to have SecurID as an option for scripting. However, the SSO PM and myself would really like to hear from you about just what options you’d be interested in seeing for scripting/API level access that complements the 2FA of SecurID into the Web Client.

What about the new HTML5 client Fling??

I can confirm that logging in with SecurID using the HTML5 Client Fling works! As with any Fling, it’s not supported. Note that the H5 client isn’t a PSC, it’s just a vSphere client. So there’s no sso-config.sh to run on there. That’s all on the PSC.

FAQ/Wrapup

We’ve covered a whole bunch in these blog posts. Here’s a quick list of what we did.

  • Configured RSA Authentication Manager and the Platform Services Controller to use the same Identity Source
  • Added a new Agent to Authentication Manager
  • Generated the sdconf.rec file and uploaded it to the PSC
  • Enabled SecurID on the PSC with the authentication options we want
  • Explained some of the options and caveats of choosing those options
  • Pointed out to NOT use multi-byte usernames when using RSA SecurID
  • Clarified that SecurID is just for the Web Client, not for things like PowerCLI
  • Confirmed that the H5 Client Fling works as well!
  • If your PSC’s are behind a load balancer, SecurID will not work.

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Thanks for reading!

mike