Configuration of RSA SecureID and PGP Encryption Server for administrative authentication
search cancel

Configuration of RSA SecureID and PGP Encryption Server for administrative authentication

book

Article ID: 429215

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

PGP Encryption Server has multiple methods of authentication, including SecureID authentication by RSA.  This article will provide information on how this is done, and how it works, in addition to the system requirements needed to use this. 

Resolution

Table of Contents

Getting Started with the Configuration of RSA SecurID Authentication and PGP Encryption Server

  1. To use RSA SecurID authentication, one or more RSA Authentication Manager servers must be configured prior to configuring SecurID on the PGP Encryption Server.
  2. The PGP Encryption Server IP address must be added as an agent to each RSA Authentication server.
  3. The RSA server configuration file (sdconf.rec) must be exported from the RSA server or cluster, and placed where it can be uploaded to the PGP Encryption Server.

 

Enabling SecurID Authentication

Tip: Before proceeding, take a backup of the PGP Encryption Server.
If you have VMware, a snapshot will also be handy in the unlikely event a rollback is needed.

  1. From the Administrators page, click the SecurID Authentication... button to display the SecurID Authentication page.
  2. Click Upload... to display the Upload Configuration File dialog, and browse to the location of the sdconf.rec file.
  3. Click Upload to upload the file.  An alert appears indicating that the server is restarting.

    Note: The sdconf.rec contains information specific to your RSA SecureID servers.  If the configuration of RSA changes, then it is recommended to recreate these files and re-upload.

  4. When the server has restarted, log in, and return to the Systems > Administrators page.
  5. Click SecurID Authentication... again to return to the SecurID Authentication page.

    The SecurID Authentication Enable button is now available.
    An icon and the file name are displayed, along with a Delete icon, an Upload... button, and a Test Connection button.

  6. To enable SecurID Authentication, click Enable.



Verifying connectivity with the RSA Authentication server

You can test the connection to ensure that the PGP Encryption Server can successfully contact the RSA Authentication Manager servers present in the RSA configuration file.
SecurID does not need to be enabled on the PGP Encryption Server, but you must have successfully uploaded the sdconf.rec file and restarted the server. It is recommended that you test the connection before you enable SecurID authentication.

  1. From the Administrators page click SecurID Authentication....
  2. Click Test Connection. A message appears indicating whether this was successful or it failed.

The test will fail only if none of the servers in the configuration file can be reached.
The Test Connection function tests to ensure that at least one RSA server is reachable. It cannot be used to test an individual user ID.


Updating the SecurID configuration file

You can update the sdconf.rec file at any time without disabling SecurID authentication.

  1. From the Administrators page click SecurID Authentication....
  2. Click Upload., browse to the location of the sdconf.rec file, and upload it.

The server will restart. SecurID authentication is still enabled.


Disabling SecurID authentication

For any administrator that is using SecurID authentication, go to Administrator Settings and set their Authentication type to Passphrase.
You cannot disable SecurID authentication if an administrator is using it as their authentication method.

  1. Go to the SecurID Authentication page and click Disable to disable SecurID authentication.
  2. To delete the sdconf.rec file, click the Delete icon.

If SecureID is not an option, but you would like to have a different authentication method available for the PGP Encryption Server, consider the following options:

171746 - PGP Administrator Password Complexity Enforcement via AD Admins (Directory Authentication) for PGP Encryption Server

 

Troubleshooting SecureID with PGP Encryption Server

If a PGP Encryption Server is rebooted, and loses connectivity to the RSA SecureID server, reach out to Symantec Encryption Support.
IMSFR-1099

If you would like to use an "Open ID" option to authenticate PGP Encryption Server, or for further guidance on this topic, reach out to Symantec Encryption Support.

Additional Information

IMSFR-1099

Powered by Wolken Software