Configuring an Annex with SecurID Security

This document describes and summarizes the steps necessary to get a Bay Networks Remote Annex or Communications Server to inter-operate in a Security Dynamics SecurID environment. This document tries to make very few assumptions about the initial environment or the users familiarity with either product. Associated documentation written by either Bay Networks or Security Dynamics is referenced whenever possible.

This document is a joint effort by both Bay Networks and Security Dynamics to aid and assist mutual customers. However, this document should not be construed as a commitment by either company. While every attempt will be made to keep this document as up-to-date as possible, this information is subject to change without notice.

Pre-Requisite Software Version Information

Remote Annex 2000/4000/6x00 Family & Bay Networks 539x

The Remote Annex family of Bay Networks remote access servers running version R9.2.7 or later all provide support for Security Dynamics ACE/Server Client API version 1.x. Additionally, SecurID ACE/Server Client API version 2.x is supported on Remote Annex servers running version X11.1.2 or later.

Annex 3 & Micro Annex XL Family

The Annex Comm. Server family of Bay Networks communications servers running version R9.2.7 or later all provide support for Security Dynamics ACE/Server Client API version 1.x. Additionally, SecurID ACE/Server Client API version 2.x is supported on Annex 3 or Micro Annex XL servers running version X10.0.1 or later. The Micro Annex ELS does not support SecurID.

Configuring ACE/Server for Annex as a Client

Be sure a UNIX Client is added to the ACE/Server for the UNIX host running erpcd and that users have been activated on this client.

Section to be completed at a later date.

Installing and Configuring Annex Host-Based Software

Performing Initial Installation Built from Source Code

To successfully get the Annex Host-Based Software to work with SecurID, you must choose to install the software from the source code as opposed to using pre-compiled binaries. This is partially due to the fact that Bay Networks does not supply the ACE/Server Client API libraries with our distribution. Thankfully, every UNIX platform supported by the Annex software includes source code.

Over time, the Annex software installation procedure has become more refined. In general, refer to your Annex Installation Notes for UNIX to determine the exact method of starting the software installation. At some point during the installation, the procedure will give you the option of loading the source code and optionally building/compiling the software. Be sure to select the source code option as opposed to the "binary files only" option, even if building/compiling isn't an option. The modifications to the Annex host software will require re-building anyway.

Required Modifications for SecurID

The basic goal of the modifications required to integrate SecurID into an Annex Host-Based Software installation revolve around the fact that the ACE/Server Client API library, sdiclient.a, must be included within the link path. For best results, if erpcd is not to be run on the ACE/Server, be sure a full SecurID UNIX client installation has been performed. Refer to the ACE/Server Clients for UNIX chapter of the ACE/Server Installation Guide for details.

The only UNIX executable required to be aware of SecurID is the daemon erpcd The source code to this program is stored in the src/erpcd sub-directory of your Annex software installation directory. For this example, let's assume the Annex software was installed into the /ra directory.

1. Change into the /ra/src directory:

   	# cd /ra/src
   
   

2. Create a directory called sdclient:

   	# mkdir sdclient
   
   

3. Copy the required ACE/Server Client API header files and library from /usr/ace:

   	cp /usr/ace/<host-type>/sdiclient.a ./sdclient
   	cp  /usr/ace/<host-type>/*.h ./sdclient
   
   

   Note that ACE/Server version 2.1.1 Client API files are stored directly in /usr/ace, while version 2.2 Client API files are stored in /usr/ace/prog. Modify the two cp commands above as necessary.

4. Edit the ./erpcd/Makefile and make the following changes:

   Uncomment the two lines that define ACE1_2 or ACE2_0 and specify the ACE/Server Client API library path. Also, comment out the flag that causes the "Annex password:" prompt to appear. Change:

   	# SECURIDFLAG = -DSECURID_CARD -DACE1_2
   	# SECURIDFILES = ../sdclient/sdiclient.a
   	...
   	PASSFLAG = -DPASS_SEC
   

   to:

   	SECURIDFLAG = -DSECURID_CARD -DACE1_2
   	SECURIDFILES = ../sdclient/sdiclient.a
   	...
   	# PASSFLAG = -DPASS_SEC
   
   

   Note that for Annex version R11.1 or greater and/or SecurID ACE/Server Client API version 2.x, the SECURIDFLAG line may be slightly different, but the change required is the same. The comments within ./erpcd/Makefile also document the changes required. Refer to these comments for more detailed and up-to-date information.

Re-Building the Annex Software

1. Kill all existing erpcd daemons:

   	# ps -ax | grep erpcd
   	25493 ? IW 0:00 ./erpcd
   	25797 p1 S 0:00 grep erpcd
   	# kill 25493
   
   

2. Re-build erpcd:

   	# cd /ra/src
   	# make erpcd
   
   

3. Make sure that ACP is enabled in the eservices file, typically found in the /usr/annex directory. To enable ACP, confirm that a pound sign (#) does not precede the line containing the text "acp". The final result should look similar to:

   	# erpc remote programs
   	#
   	# prog no. verlo verhi name
   	#
   	1 0 0 bfs
   	3 0 99 acp
   
   

4. Make sure that the machine running erpcd has an alias of securid_0 in the /etc/hosts file for the machine that is running the ACE/Server ( which may not necessarily the machine running erpcd) . For example:

   	# grep securid_0 /etc/hosts
   	192.0.55.143 demosrus securid_0
   
   

5. Move the newly built erpcd into the /usr/annex directory and start it.

   	# mv /usr/annex/erpcd /usr/annex/erpcd.old
   	# cp ./erpcd/erpcd /usr/annex
   	# /usr/annex/erpcd
   
   

Configuring Annex for Host-Based Security

The following Annex parameters are required to enable Host-Based Security, which in turn enables ACE/Server based security. The parameters are shown with the required values. These values can be set by getting into admin:: on the Annex, or through Annex Manager.

	Annex Parameter		Required Value
	---------------		--------------
	enable_security		Y
	pref_secure1_host	<IP address of erpcd UNIX host>
	cli_security		Y

	# cat acp_regime
	protocol=PPP:acp
	protocol=SLIP:acp
	username=dugal:securid
	:acp

Troubleshooting

There are a few things you can try yourself to diagnose problems with SecurID authentication.

• Attempt to compile and run the SecurID sample program called /usr/ace/example2.c by typing:

  	# make -f example2.mk
  

  If the make fails on the last line, you may have to re-type it as follows:

  	# cc -o example2 example2.o examsubs.o sdiclient.a
  

  This seems to be a problem with the supplied makefile. Your mileage may vary.

• Run erpcd -D and watch for calls to the acp_securid_authenticate routine as well as any errors preceding or succeeding this call.

• If you receive the error "/var/ace/sdconf.rec not found" while running either example2 or erpcd -D, try softlinking your sdconf.rec configuration file to /var/ace/sdconf.rec by typing:

  	# ln -s <my VAR_ACE>/sdconf.rec /var/ace/sdconf.rec
  

  Some versions of the SecurID client API refer to a default path for sdconf.rec if the VAR_ACE environment variable is not set.

• Check the ACE/Server activity log using /usr/ace/sdadmin to confirm that erpcd is actually reaching the expected ACE/Server.

• If you see entries in the sdadmin activity log stating that "Node Verification Failed", be sure that the UNIX Client has been added to the ACE/Server. If so, edit the client and uncheck the "Sent Node Secret" button. Then try running example2 from the client again.

Note that ACE/Server version 2.2 binaries and example files are stored in /usr/ace/prog.

Feedback | Service Search | ERC

Copyright © Bay Networks,Inc., 1997. All rights reserved.