RSA
®
Authentication Manager 8.1 
Administrator’s Guide
Revision 1
Picture from pdf to powerpoint - Library SDK class:C# Create PDF from PowerPoint Library to convert pptx, ppt to PDF in C#.net, ASP.NET MVC, WinForms, WPF
Online C# Tutorial for Creating PDF from Microsoft PowerPoint Presentation
www.rasteredge.com
Picture from pdf to powerpoint - Library SDK class:VB.NET Create PDF from PowerPoint Library to convert pptx, ppt to PDF in vb.net, ASP.NET MVC, WinForms, WPF
VB.NET Tutorial for Export PDF file from Microsoft Office PowerPoint
www.rasteredge.com
Copyright © 1994-2014 EMC Corporation. All Rights Reserved. Published in the U.S.A.
December 2013
Revised: December 2014
Contact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers: 
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or 
other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go 
to  www.emc.com/legal/emc-corporation-trademarks.htm#rsa
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and 
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice 
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any 
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any 
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to 
third-party software in this product may be viewed on the product documentation page on RSA SecurCare Online. By using 
this product, a user of this product agrees to be fully bound by terms of the license agreements.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption 
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this 
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change 
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO 
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS 
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR 
FITNESS FOR A PARTICULAR PURPOSE.
H13778
Library SDK class:C# PDF insert image Library: insert images into PDF in C#.net, ASP
How to Insert & Add Image, Picture or Logo on PDF Page Using C#.NET. Import graphic picture, digital photo, signature and logo into PDF document.
www.rasteredge.com
Library SDK class:VB.NET TIFF: How to Draw Picture & Write Text on TIFF Document in
drawing As RaterEdgeDrawing = New RaterEdgeDrawing() drawing.Picture = "RasterEdge" drawing provide powerful & profession imaging controls, PDF document, tiff
www.rasteredge.com
Contents
3
RSA Authentication Manager 8.1 Administrator’s Guide
Contents
Revision History
............................................................................................................17
Preface
.................................................................................................................................19
About This Guide..............................................................................................................19
RSA
Authentication Manager 8.1 Documentation...........................................................19
Related Documentation.....................................................................................................20
Support and Service..........................................................................................................20
Before You Call Customer Support...........................................................................21
Chapter 1: RSA Authentication Manager Overview
................................23
Introduction to RSA Authentication Manager..................................................................23
Multifactor Authentication........................................................................................23
Key Components for RSA Authentication Manager........................................................24
Primary Instance........................................................................................................24
Replica Instance.........................................................................................................25
Identity Sources.........................................................................................................25
RSA Authentication Agents.......................................................................................25
Risk-Based Authentication for a Web-Based Resource............................................26
RSA RADIUS Overview...........................................................................................26
Web Tier....................................................................................................................27
Self-Service................................................................................................................27
Load Balancer............................................................................................................28
RSA SecurID Authentication Overview...........................................................................28
RSASecurID Authentication Process.......................................................................29
RSA SecurID Tokens.................................................................................................30
The Role of RSA Authentication Manager In SecurID Authentication....................32
On-Demand Authentication..............................................................................................32
On-Demand Authentication User Logon Example....................................................33
Risk-Based Authentication...............................................................................................33
Risk-Based Authentication Prevents Data Loss from Stolen Passwords..................34
How Risk-Based Authentication Works....................................................................35
Chapter 2: Preparing RSA Authentication Manager for 
Administration
................................................................................................................37
Security Console...............................................................................................................37
Log On to the Security Console.................................................................................38
Security Console Customization................................................................................38
Security Console Protection.......................................................................................41
Configure Security Console Authentication Methods...............................................41
Identity Sources.................................................................................................................42
Data from an LDAP Directory...................................................................................43
Data from the Internal Database................................................................................43
Library SDK class:VB.NET Image: Image Cropping SDK to Cut Out Image, Picture and
first! VB.NET Image & Picture Cropping Application. Do you need to save a copy of certain part of an image file in a programming way?
www.rasteredge.com
Library SDK class:VB.NET Image: Image Resizer Control SDK to Resize Picture & Photo
VB.NET Method to Resize Image & Picture. Here we display the method that We are dedicated to provide powerful & profession imaging controls, PDF document, image
www.rasteredge.com
4
Contents
RSA Authentication Manager 8.1 Administrator’s Guide
Security Domain Overview...............................................................................................43
User Organization and Management.........................................................................43
Policy Enforcement....................................................................................................44
Scope of Administrator’s Control..............................................................................44
Security Domains and Policies..................................................................................45
Add a Security Domain..............................................................................................45
Default Security Domain Mappings..........................................................................47
Planning for Domain Name System Updates...................................................................48
Administrative Role Overview.........................................................................................48
Types of Administrative Roles..................................................................................48
Administrative Role Assignment...............................................................................49
Administrative Role Components..............................................................................50
Predefined Administrative Roles...............................................................................55
Administrative Role Settings.....................................................................................60
Administrative Role Scope and Permissions.............................................................61
Add an Administrative Role......................................................................................63
Assign an Administrative Role..................................................................................64
View Available Permissions of an Administrator.....................................................65
Chapter 3: Deploying Authentication Agents
.............................................67
RSA Authentication Agents..............................................................................................67
Authentication Agent Types......................................................................................67
Obtaining RSA Authentication Agents......................................................................67
Deploying an Authentication Agent.................................................................................68
Generate the Authentication Manager Configuration File........................................69
Add an Authentication Agent....................................................................................70
Node Secret for Encryption...............................................................................................72
Manual Delivery of the Node Secret.........................................................................72
Manage the Node Secret............................................................................................73
Refresh the Node Secret Using the Node Secret Load Utility...................................73
Automatic Agent Registration..........................................................................................74
Allow an Agent to Auto-Register..............................................................................75
Download an RSA Authentication Manager Server Certificate................................75
Contact Lists for Authentication Requests........................................................................76
Automatic Contact Lists............................................................................................76
Manual Contact Lists.................................................................................................77
Chapter 4: Configuring Authentication Policies
.......................................79
Policies..............................................................................................................................79
Token Policy.....................................................................................................................80
Token Policy Settings................................................................................................81
Add a Token Policy...................................................................................................84
Offline Authentication Policy...........................................................................................86
Offline Authentication Policy Settings......................................................................86
Add an Offline Authentication Policy.......................................................................88
Library SDK class:VB.NET Image: Image Scaling SDK to Scale Picture / Photo
VB.NET DLLs to Scale Image / Picture. There are two dlls that will be involved in the process of VB.NET image scaling, which are RasterEdge.Imaging.Basic.dll
www.rasteredge.com
Library SDK class:C# Word - Paragraph Processing in C#.NET
C# users can set paragraph properties and create content such as run, footnote, endnote and picture in a paragraph. Create Picture in Paragraph.
www.rasteredge.com
Contents
5
RSA Authentication Manager 8.1 Administrator’s Guide
Password Policy................................................................................................................89
Password Policy Settings...........................................................................................90
Add a Password Policy..............................................................................................93
Lockout Policy..................................................................................................................94
Lockout Policy Settings.............................................................................................94
Add a Lockout Policy................................................................................................95
Self-Service Troubleshooting Policy................................................................................96
Self-Service Troubleshooting Policy Settings...........................................................96
Add a Self-Service Troubleshooting Policy..............................................................97
Risk-Based Authentication Policies..................................................................................98
Risk-Based Authentication (RBA) Policy Settings...................................................98
Add a Risk-Based Authentication Policy..................................................................99
Risk-Based Authentication Message Policy...................................................................101
Risk-Based Authentication Message Policy Settings..............................................101
Add a Risk-Based Authentication Message Policy.................................................101
Chapter 5: Integrating LDAP Directories
.....................................................103
Identity Sources...............................................................................................................103
Data from an LDAP Directory.................................................................................103
Data from the Internal Database..............................................................................104
Identity Source Data Flow.......................................................................................104
Identity Source Properties........................................................................................105
Identity Source Scope..............................................................................................109
Active Directory Identity Sources that are Not Global Catalogs..............................110
Active Directory Global Catalog Identity Sources..................................................111
Configure the Active Directory Connection Time-Out............................................114
Integrating an LDAP Directory as an Identity Source.....................................................114
Add an Identity Source............................................................................................115
Link an Identity Source to the System.....................................................................117
Verify the LDAP Directory Identity Source............................................................117
Failover Servers.......................................................................................................117
Securing the Communications Path.................................................................................119
Identity Source SSL Certificates..............................................................................119
Password Policy for Active Directory.....................................................................121
Custom Attribute Mapping.............................................................................................121
Identity Source User Attributes...............................................................................122
Unique Identifier Attribute......................................................................................122
User Account Enabled State Attribute.....................................................................123
Chapter 6: Administering Users
........................................................................125
Common User Administration Tasks..............................................................................125
Add a User to the Internal Database...............................................................................125
User Status......................................................................................................................127
Disable a User Account...........................................................................................127
Enable a User Account............................................................................................127
Library SDK class:C# TIFF: How to Insert & Burn Picture/Image into TIFF Document
Support adding image or picture to an existing or new creating blank TIFF are dedicated to provide powerful & profession imaging controls, PDF document, tiff
www.rasteredge.com
Library SDK class:VB.NET PowerPoint: Add Image to PowerPoint Document Slide/Page
clip art or screenshot, the picture will be insert or delete any certain PowerPoint slide without powerful & profession imaging controls, PDF document, tiff
www.rasteredge.com
6
Contents
RSA Authentication Manager 8.1 Administrator’s Guide
Security Domains to Organize Users..............................................................................128
Move Users Between Security Domains.................................................................128
Duplicate User IDs...................................................................................................129
User Authentication........................................................................................................129
Manage User Authentication Settings.....................................................................129
Logon Alias..............................................................................................................131
Unlock a User..........................................................................................................131
Incorrect Passcode Count.........................................................................................132
Managing Security Questions.........................................................................................132
Set Requirements for Security Questions................................................................133
Custom Security Questions......................................................................................133
Modify the Security Questions File.........................................................................134
Emergency Online Authentication..................................................................................135
Assign a Set of One-Time Tokencodes...................................................................136
Assign a Temporary Fixed Tokencode....................................................................137
Emergency Offline Authentication.................................................................................138
Provide an Offline Emergency Access Tokencode.................................................138
Provide an Offline Emergency Passcode.................................................................139
RSA SecurID PINs..........................................................................................................140
Set an Initial On-Demand Authentication PIN for a User.......................................140
Clear a User's On-Demand Authentication PIN......................................................141
Require Users to Change Their RSA SecurID PINs................................................141
Clear an RSA SecurID PIN.....................................................................................142
Obtain the PIN Unlocking Key for an RSA SecurID 800 Authenticator................142
Import PIN Unlocking Keys....................................................................................143
User Groups....................................................................................................................144
User Group Organization.........................................................................................144
User Group Characteristics......................................................................................144
Creating User Groups..............................................................................................145
Internal User Groups................................................................................................145
Add a User Group....................................................................................................146
Add a User to a User Group.....................................................................................146
Controlling User Access With Authentication Agents...................................................147
Configuring a Restricted Agent to Control User Access.........................................148
Restricted Access Times for User Groups...............................................................149
Access to Restricted Agents by Active Directory Groups.......................................151
View User Groups Allowed to Authenticate on a Restricted Agent.......................151
User Data in an LDAP Directory....................................................................................152
How a User Becomes Unresolvable........................................................................152
How a User Group Becomes Unresolvable.............................................................152
Manual Cleanup for Unresolvable Users.................................................................153
Clean Up Unresolvable Users Manually.................................................................153
Scheduling Cleanup for Unresolvable Users and User Groups...............................154
Schedule a Cleanup Job...........................................................................................156
Library SDK class:VB.NET Image: VB.NET Planet Barcode Generator for Image, Picture &
png, gif, jpeg, bmp and tiff) and a document file (supported files are PDF, Word & Generate Planet Barcode on Picture & Image in VB.NET. In this part, we will
www.rasteredge.com
Library SDK class:VB.NET Image: Create Code 11 Barcode on Picture & Document Using
Write Code 11 barcode image on single-page or multi-page PDF, TIFF or Word document using VB.NET code. Code 11 Barcode Generation on PDF Using VB.NET Code.
www.rasteredge.com
Contents
7
RSA Authentication Manager 8.1 Administrator’s Guide
Moving Users in an LDAP Directory......................................................................157
Modifying a User in an LDAP Directory................................................................160
Modifying Group Membership in an LDAP Directory...........................................161
Chapter 7: Administering RSA Authentication Manager
...................163
Delegated System Administration..................................................................................163
Super Admin............................................................................................................163
Operations Console Administrators.........................................................................163
System Administrator Accounts.....................................................................................163
Authentication Manager Administrator Accounts...................................................164
Appliance Operating System Account.....................................................................165
Add a Super Admin.........................................................................................................165
Add an Operations Console Administrator.....................................................................166
Change an Operations Console Administrator's Password.............................................166
Operations Console.........................................................................................................167
Log On to the Operations Console..........................................................................167
Session Lifetime Limits..................................................................................................168
Types of Session Lifetime Limits............................................................................169
Edit Session Lifetime Settings.................................................................................169
Updating Identity Source Properties...............................................................................170
Unlink Identity Sources from the System................................................................170
Edit an Identity Source............................................................................................171
Link an Identity Source to the System.....................................................................172
Verify the LDAP Directory Identity Source............................................................172
Certificate Management for Secure Sockets Layer.........................................................172
Console Certificate..................................................................................................173
Replacing the Console Certificate...........................................................................173
Generate a Certificate Signing Request Using the Operations Console..................174
Import a Console Certificate....................................................................................175
Activate a New SSL Console Certificate.................................................................176
Replace an Expired Console Certificate..................................................................177
Licenses...........................................................................................................................178
Install a License.......................................................................................................179
View Installed Licenses...........................................................................................180
Chapter 8: Administering Web Tier Deployments
.................................183
Web Tier Deployment Administration...........................................................................183
Edit a Web-Tier Deployment Configuration...........................................................183
Changing the IP Address of a Web-Tier Server......................................................184
Update the Load Balancer and Virtual Host............................................................185
Verify the Web-Tier Version...................................................................................186
Update the Web-Tier...............................................................................................186
Uninstall a Web Tier on Windows..................................................................................187
Uninstall a Web Tier on Linux.......................................................................................187
8
Contents
RSA Authentication Manager 8.1 Administrator’s Guide
Managing the Web-Tier Service.....................................................................................188
Manage the RSA Web-Tier Bootstrapper Server on Windows...............................188
Manage the RSA Web-Tier Bootstrapper Server on Linux.....................................189
Replace the Default RSA Virtual Host Certificate.........................................................189
Certificate Authority Certificate Files.....................................................................190
Replacing the Default Virtual Host Certificate........................................................190
Generate a Certificate Signing Request (CSR) for the Web Tier............................191
Import a Signed Virtual Host Certificate.................................................................191
Activate a Virtual Host Certificate..........................................................................192
Logout Error on the Self-Service Console in the Web Tier....................................193
Chapter 9: Deploying and Administering RSA SecurID Tokens
...195
RSA SecurID Tokens......................................................................................................195
Deploying RSA SecurID Tokens....................................................................................195
Import a Token Record File.....................................................................................196
Move a Token Record to a New Security Domain..................................................197
Assign Tokens to Users...........................................................................................197
Software Token Profiles..........................................................................................198
Add a Software Token Profile.................................................................................200
Distribute a Hardware Token...................................................................................203
Distribute Multiple Software Tokens Using File-Based Provisioning....................203
Distribute One Software Token Using File-Based Provisioning.............................204
Distribute Multiple Software Tokens 
Using Dynamic Seed Provisioning (CT-KIP).......................................................205
Distribute One Software Token 
Using Dynamic Seed Provisioning.......................................................................208
Distribute Multiple Software Tokens 
Using Compressed Token Format (CTF).............................................................210
Distribute One Software Token 
Using Compressed Token Format (CTF).............................................................211
Administering RSA SecurID Tokens..............................................................................212
Enabled and Disabled Tokens..................................................................................212
Enable a Token........................................................................................................213
Disable a Token.......................................................................................................213
Delete a Token.........................................................................................................214
Edit a Token.............................................................................................................214
User Assistance for Lost, Stolen, Damaged, or Expired Tokens.............................215
Assign a Replacement Token..................................................................................215
Resynchronize a Token...........................................................................................215
Exporting and Importing Users and Tokens Between Deployments..............................216
Impact of Export and Import on Authentication......................................................216
Impact of Export and Import on Identity Sources...................................................216
Impact of Export and Import on Users....................................................................217
Download the Encryption Key................................................................................219
Export Tokens..........................................................................................................220
Contents
9
RSA Authentication Manager 8.1 Administrator’s Guide
Import Tokens from Another Deployment..............................................................221
Export Users with Tokens........................................................................................222
Import Users with Tokens........................................................................................223
Chapter 10: Deploying On-Demand Authentication
.............................225
On-Demand Authentication............................................................................................225
Planning for On-Demand Authentication.......................................................................225
Configuring On-Demand Tokencode Delivery by Text Message..................................226
Identity Attribute Definitions for On-Demand Tokencode Delivery
by Text Message...................................................................................................226
Configure the HTTP Plug-In for On-Demand Tokencode Delivery.......................227
SMS HTTP Plug-In Configuration Parameters.......................................................230
Change the SMS Service Provider...........................................................................231
Configuring On-Demand Tokencode Delivery by E-mail..............................................232
Configure the SMTP Mail Service..........................................................................232
Identity Attribute Definitions for On-Demand Tokencode Delivery 
by E-Mail..............................................................................................................233
Configure E-mail for On-Demand Tokencode Delivery.........................................235
Configuring Users for On-Demand Authentication........................................................236
Enable On-Demand Authentication for a User........................................................236
PINs for On-Demand Authentication......................................................................237
Enable Users to Set Their Initial On-Demand Authentication PINs.......................237
Set a Temporary On-Demand Tokencode PIN for a User.......................................238
Enable Users to Update Phone Numbers and E-mail Addresses.............................238
On-Demand Authentication with an Authentication Agent or a RADIUS Client..........239
New PINs and On-Demand Tokencodes for Authentication Agents 
and RADIUS Clients.............................................................................................240
Restrictions of On-Demand Tokencodes.................................................................240
Chapter 11: RSA Self-Service
.............................................................................241
RSA Self-Service Overview...........................................................................................241
Self-Service Console User Experience....................................................................241
User Enrollment ......................................................................................................242
Identity Sources for Self-Service Users...................................................................242
Configuring Self-Service................................................................................................243
Enable Enrollment by Selecting Identity Sources...................................................243
Select Security Domains for Self-Service...............................................................244
Select User Groups for Self-Service........................................................................245
User Profile Configuration for Self-Service............................................................246
Set the Authentication Method for the Self-Service Console..................................247
Security Questions for Self-Service.........................................................................248
Configure E-mail Notifications for Self-Service User Account Changes...............248
E-mail Template Example for the Self-Service Console.........................................250
10
Contents
RSA Authentication Manager 8.1 Administrator’s Guide
Customizing the Self-Service Console...........................................................................251
Enable or Disable Self-Service Features.................................................................251
Customize Self-Service Console Web Pages...........................................................252
Customizing the Self-Service Console User Help...................................................253
Provisioning Overview...................................................................................................253
Administrative Roles in Provisioning......................................................................254
Scope for Request Approvers and Token Distributors............................................255
Privileges for Request Approvers and Token Distributors......................................255
Workflow for Provisioning Requests......................................................................256
Workflow Policy......................................................................................................256
Configuring Provisioning................................................................................................257
Enable Provisioning.................................................................................................257
Change the Default Workflow Policy......................................................................257
Assign a Workflow Policy to a Security Domain....................................................258
Change Workflow Definitions.................................................................................258
Using E-mail Notifications for Provisioning Requests............................................259
Configure E-mail Notifications for Provisioning Workflow Participants...............260
Managing Authenticators for Self-Service Users...........................................................260
Configure Authenticators for Self-Service Users....................................................261
Configure Shipping Addresses for Hardware Authenticators.................................262
Creating Multiple Requests and Archiving Requests.....................................................263
User Groups and Token Bulk Requests Utility.......................................................263
Archive Requests Utility..........................................................................................268
Self-Service Troubleshooting.........................................................................................270
Add a Self-Service Troubleshooting Policy............................................................270
Chapter 12: Deploying Risk-Based Authentication
...............................273
Risk-Based Authentication.............................................................................................273
Risk-Based Authentication Data Flow............................................................................274
Deployment Considerations for Risk-Based Authentication..........................................276
Risk Engine Considerations for Risk-Based Authentication..........................................277
Minimum Assurance Level......................................................................................278
Recommendations for Determining the Minimum Assurance Level......................278
The Impact of User Behavior on Risk-Based Authentication.................................279
Silent Collection..............................................................................................................280
Implementing Risk-Based Authentication......................................................................281
Backup Authentication Method for Risk-Based Authentication.............................281
Obtaining RSA Authentication Agents....................................................................282
Install the RBA Integration Script Template...........................................................283
Configure the Authentication Agent for Risk-Based Authentication......................283
Testing Your Risk-Based Authentication Integration.............................................284
Troubleshooting the Authentication Test........................................................................285
User Enablement for Risk-Based Authentication Users.................................................288
Enabling Identity Confirmation Methods for a Risk-Based Authentication Policy.......288
How a User Configures an Identity Confirmation Method.....................................288
Documents you may be interested
Documents you may be interested