1

RSA SecurID Ready Implementation Guide Last Modified: May 3, 2007

Partner Information Product Information Partner Name M-Tech Information Technology Inc Web Site www.mtechit.com Product Name P-Synch / ID-Synch Version & Platform P-Synch Version 6.X, ID-Synch 4.X (Windows 2000) Product Description P-Synch is a total password management solution that includes password

synchronization, self-service reset, security policy enforcement, profile builders, and more. ID-Synch is an account provisioning extension that provides automated workflow and centralized control.

Product Category Provisioning

2

Solution Summary

Partner Integration Overview Authentication Methods Supported Native RSA SecurID Authentication List Library Version Used 5.0 RSA Authentication Manager Name Locking * Yes RSA Authentication Manager Replica Support * Full Replica Support Secondary RADIUS Server Support No Location of Node Secret on Agent \winnt\system32 RSA Authentication Agent Host Type Net OS RSA SecurID User Specification All Users RSA SecurID Protection of Administrative Users No RSA Software Token and SD800 Automation No Use of Cached Domain Credentials No

* = Mandatory Function when using Native SecurID Protocols

P-Synch and ID-Synch integrate with RSA Authentication Server to provide a unified console to automate token provisioning, administration, and support processes. P-Synch enables users who experience a token-related problem, such as a forgotten PIN, clock drift or misplaced token to resolve their problem with self service. Features include PIN reset, access to emergency access codes, and clock resynchronization. This is available from a web browser, from the workstation login prompt, or from a telephone. ID-Synch consolidates token administration processes. ID-Synch allows users or managers to requisition tokens, routes requests to authorizers, tracks approvals, manages physical inventories of tokens, allocates tokens to new users, enables newly assigned tokens, sends delivery instructions to the users that physically manage tokens, etc. All this is integrated into a larger user provisioning, management and de-provisioning system, so that RSA SecurID administration is included in the normal course of action.

3

Product Requirements

Partner Product Requirements: P-Synch Server CPU Pentium IV class or better x86 Memory Minimum 256 MB RAM Storage Minimum 10GB SCSI Disk Operating System Platform Required Patches Microsoft Windows 2000 All Patch Levels Supported Microsoft Windows 2003 All Patch Levels Supported

Partner Product Requirements: ID-Synch Server CPU Pentium IV class or better x86 Memory Minimum 256 MB RAM Storage Minimum 10GB SCSI Disk Operating System Platform Required Patches Microsoft Windows 2000 All Patch Levels Supported Microsoft Windows 2003 All Patch Levels Supported

Partner Product Requirements: Optional Proxy Server CPU Pentium IV class or better x86 Memory Minimum 256 MB RAM Storage Minimum 10GB SCSI Disk Operating System Platform Required Patches Microsoft Windows 2000 All Patch Levels Supported Microsoft Windows 2003 All Patch Levels Supported

Additional Software Requirements Application Additional Patches RSA ACE/Agent 5.6 for Windows 5.6 RSA Authentication Agent 6.1 for Microsoft Windows 6.1

IIS, Sun One, or Apache Web Server

4

Agent Host Configuration To facilitate communication between the P-Synch / ID-Synch server(s) and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the P-Synch / ID-Synch server(s) within its database and contains information about communication and encryption.

To create the Agent Host record, you will need the following information.

Hostname IP Addresses for all network interfaces RADIUS Secret (When using RADIUS Authentication Protocol)

When adding the Agent Host Record, you should configure the P-Synch / ID-Synch server(s) as Net OS Agent. This setting is used by the RSA Authentication Manager to determine how communication with the P-Synch / ID-Synch server(s) will occur.

Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.

5

Partner Authentication Agent Configuration

Before You Begin This section provides instructions for integrating the partners’ product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

An administrative account should be created within the RSA Authentication Manager which will be used as the administrative ID when configuring the target on the P-Synch / ID-Synch server(s); for example: psadmin. Ensure that an IIS, Sun One, or Apache web server is installed on your P-Synch / ID-Synch server(s) as well as the RSA Authentication Agent.

Documenting the Solution

RSA SecurID functions provided by P-Synch / ID-Synch: P-Synch Functions:

Self-service password resets Self-service RSA SecurID token management operations: enable, disable, PIN clear, PIN set,

resynchronize, toggle between Emergency Access mode and out Administrative / help desk password resets

ID-Synch Functions: Provision new RSA SecurID tokens Unassign RSA SecurID tokens Assign another RSA SecurID token Enable/Disable RSA SecurID tokens Modify RSA SecurID user/token attributes (extension)

Configuration Steps required to enable RSA SecurID provisioning via P-Synch / ID-Synch:

1. The remote administration service (psace) must be installed on the RSA Authentication Manager to allow an authorized P-Synch / ID-Synch server to manage SecurID users and tokens. Ensure that this service is installed either on the Windows or Unix RSA Authentication Manager. This will configure the port that P-Synch / ID-Synch will use for communication. It is also specified in the target address.

Windows-based RSA Authentication Manager: Run the P-Synch or ID-Synch installation package and choose the option to install the remote administration service (psace). Ensure that all other options are unchecked so that only the service gets installed.

Unix-based RSA Authentication Manager: The installation package for the remote administration service (psace) can be found within the psunix.tar file. Run the psace_inst.sh script to install and configure the service.

Consult the P-Synch or ID-Synch Installation and Configuration Guide for more information as to how to configure the remote administration service.

6

2. Create a new RSA Authentication Manager target on the P-Synch / ID-Synch server. The port number refers to the port configured by the remote administration service (psace) configured in the previous step.

Sample target address: authmgr6/4444 (server / port)

7

3. Set the administrative ID / password for the RSA Authentication Manager administrator account that was created on the RSA Authentication Manager server in the “Before You Begin” steps; for example: psadmin.

4. Optionally, create inventory type / location / templates / roles for provisioning new users.

8

9

Example RSA SecurID / P-Synch / ID-Synch logon screens:

ID-Synch Self-Service Login 1. Enter your RSA SecurID login ID.

2. Enter you RSA SecurID passcode.

3. Use the self-service interface to reset and manage your RSA SecurID tokens.

10

P-Synch Self-Service Interface

11

12

4. Certification Checklist

Date Tested: May 3, 2007

Certification Environment Product Name Version Information Operating System

RSA Authentication Manager RSA Authentication Manager 6.1 Windows 2000 Solaris 9 (SPARC)

RSA Authentication Agent RSA Authentication Agent 6.1 Windows 2000 RSA Software Token RSA SecurID SID800

RSA SecurID SD600 key fob RSA SecurID SD520 PIN pad RSA Software Token

Windows 2000

Partner Product> P-Synch 6.x and ID-Synch 4.x

Mandatory Functionality RSA Native Protocol RADIUS Protocol

New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A User Selectable User Selectable N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A PASSCODE 16 Digit PASSCODE 16 Digit PASSCODE N/A 4 Digit Password 4 Digit Password N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A Name Locking Enabled Name Locking Enabled No RSA Authentication Manager No RSA Authentication Manager N/A

Additional Functionality

RSA Software Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A User Selectable N/A User Selectable N/A Next Tokencode Mode N/A Next Tokencode Mode N/A RSA SD800 Token Automation System Generated PIN N/A System Generated PIN N/A User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A User Selectable N/A User Selectable N/A Next Tokencode Mode N/A Next Tokencode Mode N/A Domain Credential Functionality Determine Cached Credential State N/A Determine Cached Credential State Set Domain Credential N/A Set Domain Credential Retrieve Domain Credential N/A Retrieve Domain Credential

MRL / MRL = Pass = Fail N/A = Non-Available Function