Configuring SecurID ACE/Server

These are the options to enable connectivity between Virtual Systems and a SecurID ACE/Server:

• Shared configuration: All authentication servers are accessible by all Virtual Systems through the VSX Gateway. The Virtual Systems on each VSX Gateway use the same encryption key. This is the default option.
• Private configuration: Authentication servers are accessed directly by the Virtual System and use the Virtual System cluster IP address as the source address. Each Virtual System uses a separate encryption key. For High Availability configurations, the Virtual Systems on different VSX Cluster Members use the same encryption key.

  Note - You can configure authentication for more than one ACE/Server in private mode. Contact Check Point Support for more information.

The SecurID ACE/Server sends a shared key (called a "node secret") to its peer ACE/Clients. This key is unique per IP address, and is sent when it connects to the ACE/Server for the first time.

Configuring Shared Authentication

Configure shared authentication so that all the Virtual Systems on the VSX Gateway use the same encryption key to authenticate to the remote SecurID/ACE server. Each VSX Cluster Member uses a different encryption key and node secret file.

The SecurID encryption key is stored in the sdconf.rec file. When you generate the sdconf.rec file, use the MIP (Member IP) address of a VSX Gateway interface that connects to the ACE/Server.

The first time that a Virtual System connects and attempts to authenticate to the ACE/Server, the server sends the node secret file (securid) to that Virtual System. Copy the node to all the other Virtual Systems.

To generate an sdconf.rec file:

1. From the ACE/Server, generate the sdconf.rec file with the VSX Gateway MIP.
2. Do the previous step again for each VSX Cluster Member using the VSX Gateway MIP.

   For example, a VSX Cluster with three VSX Cluster Members and each VSX Cluster Member has five Virtual Systems. Generate three sdconf.rec files, one for each VSX Cluster Member.

To configure shared authentication:

1. Configure shared authentication on the Virtual Systems.
   1. Connect with SmartConsole to the Management Server.
   2. From the left navigation panel, click Gateways & Servers.
   3. Double-click the applicable Virtual System object.

      The Virtual Systems General Properties window opens.

   4. From the navigation tree, select Other > Legacy Authentication.
   5. Make sure that SecurID and Shared are selected.
   6. Click OK.

      Do all of the previous steps for each Virtual System.

   7. Install the policy on the Virtual Systems.
2. From the VSX Gateway CLI, for each Virtual System create the sdopts.rec file that contains the MIP.
   1. Connect to the command line on the VSX Gateway.
   2. Log in to the Expert mode.
   3. Change the context to the <tp_vs> 0. Run:

      # vsenv 0

   4. Create the /var/ace/sdopts.rec file:

      # touch /var/ace/sdopts.rec

   5. In a plain-text editor, add this line to the /var/ace/sdopts.rec file:

      CLIENT_IP=<Member IP Address of VSX Gateway>

   6. Change the context to other Virtual System:

      # vsenv <VSID>

   7. Create the $FWDIR/conf/sdopts.rec file:

      # g_all touch $FWDIR/conf/sdopts.rec

   8. In a plain-text editor, add this line to the sdopts.rec file:

      CLIENT_IP=<Member IP Address of VSX Gateway>

3. For each Virtual System, copy the same encryption key file, sdconf.rec, to the applicable directory:
   • For VS0, copy the file to the /var/ace/ directory.
   • For other Virtual Systems, copy the file to the $FWDIR/conf/ directoryin the context of each Virtual System.
4. For cluster configurations, do all of the previous steps for each VSX Cluster Member.
5. For cluster configurations, on the Management Server of the VSX Cluster, make sure that Hide NAT is disabled.

   On Multi-Domain Server, work in the context of the Target Domain Management Server that manages the Virtual System.

   1. Open the applicable table.def file. See sk98339.
   2. Make sure that the no_hide_services_ports parameter contains UDP port 5500.

      Sample parameter with Hide NAT disabled:

      no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17>, <5500, 17> };

   3. Save the file.
   4. In SmartConsole, install the Security Policy on the Virtual Systems.

To distribute the node secret to the Virtual Systems:

1. Authenticate to the VSX Gateway with a SecurID ACE/Server user account.

   The ACE/Server sends the node secret file to the VSX Gateway.

2. Search each Virtual System to locate the node secret file called securid.
   • For VS0, search in the /var/ace/ directory.
   • For other Virtual Systems, search in the $VAR_ACE directory in the context of Virtual Systems.
3. Copy the securid file to the applicable directory:
   • For VS0, copy the file to the /var/ace/ directory.
   • For other Virtual Systems, copy the file to the $FWDIR/conf/ directory.
4. For cluster configurations, for each VSX Cluster Member:
   • Locate a Virtual System that is Active on that VSX Cluster Member and do the all the previous steps.
   • If there are no Virtual Systems in the Active state on that VSX Cluster Member, fail-over to the applicable VSX Cluster Member and then do the all the previous steps.

Configuring Private Authentication

Configure private authentication so that the active and standby Virtual Systems use the same encryption key and node secret file to authenticate to the remote SecurID ACE/Server.

The SecurID encryption key is stored in the sdconf.rec file. When you generate the sdconf.rec file, use the VIP (Virtual IP) address of the Virtual System interface that connects to the ACE/Server.

The first time that a VSX Gateway connects to the ACE/Server, the server sends the node secret file (securid) to that VSX Gateway. Copy the node to all the other VSX Gateways.

To generate an sdconf.rec file:

1. From the ACE/Server, generate the sdconf.rec file with the Virtual System VIP address.
2. Do the previous step again for each Virtual System on the VSX Gateway.

   Example:

   A VSX Cluster with three Cluster Members. Each VSX Cluster Member has five Virtual Systems.

   You need to generate five sdconf.rec files - one for each Virtual System.

To configure private authentication:

1. Configure private authentication on the VSX Gateway and the Virtual Systems:
   1. Connect with SmartConsole to the Management Server.
   2. From the left navigation panel, click Gateways & Servers.
   3. Double-click the VSX Gateway object.

      The VSX Gateway General Properties window opens.

   4. From the navigation tree, select Other > Authentication.
   5. Make sure that SecurID and Private are selected.
   6. Click OK.

      Do all of the previous steps for each Virtual System.

   7. Install the policy on the Virtual Systems.
2. On the VSX Gateway, for each Virtual System create the sdopts.rec file that contains the the VIP address of that Virtual System:
   1. Connect to the command line on the VSX Gateway.
   2. Log in to the Expert mode.
   3. Change the context to the <tp_vs> 0:

      # vsenv 0

   4. Create the /var/ace/sdopts.rec file:

      # touch /var/ace/sdopts.rec

   5. In a plain-text editor, add this line to the /var/ace/sdopts.rec file:

      CLIENT_IP=<Virtual System VIP Address>

   6. Change the context to other Virtual System:

      # vsenv <VSID>

   7. Create the $FWDIR/conf/sdopts.rec file:

      # g_all touch $FWDIR/conf/sdopts.rec

   8. In a plain-text editor, add this line to the sdopts.rec file:

      CLIENT_IP=<Virtual System VIP Address>

3. For each Virtual System, copy the same encryption key file, sdconf.rec, to the applicable directory:
   • For VS0, copy the file to the /var/ace/ directory.
   • For other Virtual Systems, copy the file to the $FWDIR/conf/ directory in the context of each Virtual System.
4. For cluster configurations, do all of the previous steps for each VSX Cluster Members.
5. For cluster configurations, on the Management Server, make sure that Hide NAT is enabled.

   On Multi-Domain Server, work in the context of the Target Domain Management Server that manages the Virtual System.

   1. Open the applicable table.def file. See sk98339.
   2. Make sure that the no_hide_services_ports parameter does not contain UDP port 5500.

      Sample parameter with Hide NAT enabled:

      no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17> };

   3. Save the file.
   4. In SmartConsole, install the Access Control policy on the Virtual Systems.

To distribute the node secret to Virtual Systems in a VSX Cluster:

1. Authenticate to the Virtual System on the VSX Cluster with a SecurID ACE/Server user account.

   The ACE/Server sends the node secret file to the VSX Cluster.

2. Locate the VSX Cluster Member, on which the Virtual System is in the Active state.
3. From that VSX Cluster Member, copy the securid file to the same Virtual System on the other VSX Cluster Members.
   • For VS0, copy the file to the /var/ace/ directory.
   • For other Virtual Systems, copy the file to the $FWDIR/conf/ directory in the context of each Virtual System.
4. Do all of the previous steps for each Virtual System.