Configure RSA for two factor authentication using SAM Account as LDAP attribute
Article ID: 315405
Updated On:
Products
VMware vCenter Server
Issue/Introduction
The steps are consolidated to limit the minimum required steps to successfully configure RSA for vCenter authentication.
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
Resolution
Pre-requisites:
- Validate that the ldap attribute on the RSA is configured with sAMAccountName
- PSC node is configured as standard agent on the RSA Authentication Manager
- Validate that the certificates on the RSA node is trusted by the PSC
- Download the sdconf.rec from the RSA Authentication Manager
- Create the sdopts.rec file in the below format:
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
Commands to configure:
./opt/vmware/bin/sso-config.sh -t <SSO Domain> -set_authn_policy -securIDAuthn true
./opt/vmware/bin/sso-config.sh -set_rsa_config -t <SSO Domain> -logLevel DEBUG
./opt/vmware/bin/sso-config.sh -set_rsa_site -t <SSO Domain> -agentName <PSC FQDN> -sdConfFile /root/sdconf.rec -sdOptsFile /root/sdopts.rec
./opt/vmware/bin/sso-config.sh -set_rsa_userid_attr_map -t <SSO Domain> -idsName <Domain name> -ldapAttr sAMAccountName
Validate the Configuration via the below command:
./opt/vmware/bin/sso-config.sh -t vsphere.local -get_rsa_config
Sample Output:
./opt/vmware/bin/sso-config.sh -t vsphere.local -get_rsa_config
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256M; support was removed in 8.0
logonGuide: Passcode for soft token users:<br>Enter only the generated token code from app<br><br>Passcode for hard token users:<br> Enter pin + generated token code
logLevel: DEBUG
logFileSize: 1
maxLogFileCount: 10
connTimeOut: 60
readTimeOut: 60
encAlgList: [AES/16, AES/32, AES/24]
idsUserIDAttributeMaps: {<Domain Name>=sAMAccountName}
Sites [
[siteID: 66918bc1-41ae-4463-9eaf-############
agentName: <PSC FQDN>
sdConfFile: Binary value
sdOptsFile: Binary value
]
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256M; support was removed in 8.0
logonGuide: Passcode for soft token users:<br>Enter only the generated token code from app<br><br>Passcode for hard token users:<br> Enter pin + generated token code
logLevel: DEBUG
logFileSize: 1
maxLogFileCount: 10
connTimeOut: 60
readTimeOut: 60
encAlgList: [AES/16, AES/32, AES/24]
idsUserIDAttributeMaps: {<Domain Name>=sAMAccountName}
Sites [
[siteID: 66918bc1-41ae-4463-9eaf-############
agentName: <PSC FQDN>
sdConfFile: Binary value
sdOptsFile: Binary value
]
- Once completed, restart all the services on the PSC and vCenter(external deployment model)
- Log in to the web client of the vCenter and validate configuration
Additional Notes:
In case if the RSA is mis-configured, the below steps needs to be followed to clear it.
- Connect to the PSC node via JXplorer
- Navigate to local->Services->Identitymanager->Tenants-><SSO Domain>
- Delete "RSAAgentConfigurations" under the SSO domain
- Log in to the PSC via ssh and delete "vsphere.local" under "/etc/vmware-sso/" (the folder name would be same as the SSO domain name)
- Reboot the PSC and the vCenter server
Additional Information
Ensure there is a valid backup of all the PSC and vCenter server nodes in case of linked mode deployment model
Feedback
Yes
No
Powered by
