This configuration protects the 6.5 external Platform Service Controller using two-factor authentication.
A common LDAP identity source between vCenter Server SSO and the RSA Authentication Manager is required.
=========================================
Configure the RSA Authentication Manager 8.3
=========================================
1. Add the Identity Source to the Authentication Manager Operations Console
2. Configure the Identity Source Mapping
3. Test the connection to the Identity Source
4. Link the Identity Source
5. Configure the Default Security Domain Mapping for the Identity Source
6. Assign the Identity Source user account a SecurID Token
NOTE: Ensure that you select the Active Directory Domain from the Identity Source drop-down prior to assigning the user a SecurID Token.
7. Download the RSA Authentication Manager server certificate
8. Add the RSA Authentication Manager server certificate to the Platform Services Controller's Trusted Root Store
9. Import the certificate of the LDAP Identity Source to the RSA Authentication Operations Console
10. Add an Authentication Agent (the external Platform Services Controller)
11. Confirm that the Authentication Agent is listed as "Selected" within the Authentication Manager Contact List
12. Add the Hostname and IP Address of the Authentication Manager to the Agent Authentication Settings under Security Console>Setup>System Settings>Agents>To Configure Agents using IPV6, click here"
13. Generate the Authentication Agent Configuration File (sdconf.rec)
14. Enable the RSA SecurID Authentication API
==========================================================
Configure the 6.5 External Platform Services Controller
==========================================================
1. Use WinSCP to import the sdconf.rec file to the external Platform Services Controller
2. Open an SSH to the Platform Services Controller and login as root
3. Change to the directory that contains the sso-config.sh script
Appliance: /opt/vmware/bin
Windows: C:\Program Files\VMware\VCenter server\VMware Identity Services
4. Enable RSA SecurID Authentication on the tenant
# sso-config.[sh|bat] -t tenantName -set_authn_policy–securIDAuthn true
For example:
# sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true
Note: After you enable RSA SecurID, the checkbox "Use RSA SecurID" will appear in the vSphere Web Client
5. Configure the Tenant to use the RSA Site.
# sso-config.[sh|bat] -set_rsa_site [-t tenantName] [-siteID Location] [-agentName Name] [-sdConfFile Path]
For Example:
# sso-config.sh -set_rsa_site -t vsphere.local -siteID fed-linpsc.fedlab.local -agentName fed-linpsc.fedlab.local -sdConfFile /tmp/sdconf.rec
6. Set the userID mapping using the attribute configured in the RSA Authentication Manager for the Identity Source
# sso-config.[sh|bat] -set_rsa_userid_attr_map [-t tenantName] [-idsName Name] [-ldapAttrAttrName] [-siteID Location]
For Example:
#sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsNamefedlab.local -ldapAttruserPrincipalName
7. Confirm that the agentName, siteID, and idsUserIDattributemaps are correct
# sso-config.sh -t tenantName -get_rsa_config
For Example:
# sso-config.sh -t vsphere.local -get_rsa_config
8. Authenticate to vCenter Server using RSA SecureID
NOTE: User accounts management by vCenter Server SSO (administrator@vsphere.local) cannot use two-factor authentication.
REFERENCES:
SET UP RSA SECURID AUTHENTICATION
TWO FACTOR AUTHENTICATION FOR VSPHERE – RSA SECURID
HTTPS://BLOGS.VMWARE.COM/VSPHERE/2016/04/TWO-FACTOR-AUTHENTICATION-FOR-VSPHERE-RSA-SECURID.HTML
RSA SETUP GUIDE