Creating an Administrator Account with SecurID Authentication

SecurID requires administrators to possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices. Software tokens reside on the PC or device from which the administrator wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When an administrator attempts to authenticate to a protected resource, the AM must validate the one-time use code.

The Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. forwards SecurID authentication requests by remote administrators to the AM. The AM manages the database of the RSA users and their assigned hard or soft tokens. The Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. act as an AM Agent and directs all access requests to the RSA AM for authentication. For additional information on agent configuration, refer to the RSA Authentication Manager documentation.

There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API.

To learn how to configure a SecurID server, refer to the vendor documentation.

After you configure SecurID authentication, you can, in addition, configure authentication with a certificate file. The administrator can then authenticate to SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. with SecurID authentication or the certificate file.

You create the certificate file in SmartConsole. The administrator can use the certificate to log in to SmartConsole in two ways:

  • Log in to SmartConsole with the Certificate File option. The administrator must provide the password to use the certificate file.

  • You can import the certificate file to the Windows Certificate Store on the Microsoft Windows SmartConsole computer. The administrator can use this stored certificate to log in to SmartConsole with the CAPI Certificate option. The administrator does not need to provide a password to log in.

The administrator can also give the certificate to other administrators to log in to SmartConsole with no administrator account of their own.

To configure SecurID authentication for an administrator

    1. Connect to the command line on the Security Management Server.

    2. Log in to the Expert mode.

    3. Copy the sdconf.rec file to the /var/ace/ directory.

      If the /var/ace/ directory does not exist, create it with this command:

      mkdir -v /var/ace/

    4. Assign all permissions to the sdconf.rec file:

      chmod -v 777 /var/ace/sdconf.rec

    1. Add a new SecurID server object:

      Go to the Object Explorer and select New > More > Server > New SecurID.

    2. Give the server a Name. It can be any name.

    3. This step applies only to SDK-supported API:

      Click Browse and select the sdconf.rec file.

      This must be a copy of the file that is on the Security Management Server

    4. Click OK.

    1. Go to Manage & Settings > Permissions & Administrators > Administrators > click New.

      The New Administrator window opens.

    2. Give the administrator a name. A unique, case sensitive character string.

    3. In Authentication method, select SecurID.

    4. Select the SecurID Server defined earlier.

    5. Optional: In the Authentication section > Certificate Information, click Create:

      1. Enter a password. A password is required to protect the sensitive data contained in the certificate file.

      2. Click OK.

      3. Save the certificate file to a secure location on the SmartConsole computer:

        Notes:

        • Make sure that the login name is included in the File name field.

        • Make sure that Certificate Files (*p12) is selected in the Save as type drop-down list. The certificate file is in the PKCS #12 format, and has a .p12 extension.

        • A password is required to protect the sensitive data in the certificate file. The certificate file contains the private key. After the certificate is issued, save it to a file and give the administrator this file and password. The administrator can then authenticate with the certificate when they log in with SmartConsole to the Security Management Server.

    6. Assign a Permission Profile.

      See Assigning Permission Profiles to Administrators.

    7. In the Expiration section, select the expiration date and make sure that it is set to a valid future date.

    8. Click OK.

    9. Publish the SmartConsole session.

  		4.

    Note - This procedure applies if you create a certificate authentication in the administrator object, and you log in to SmartConsole with the CAPI Certificate option.

    1. Right-click the *.p12 file you saved when you created the required administrator, and click Install PFX.

      The Certificate Import Wizard opens.

    2. In the Store Location section, select the applicable option:

      • Current User (this is the default)

      • Local Machine

    3. Click Next.

    4. Enter the same certificate password you used when you created the required administrator certificate.

    5. Clear Enable strong private key protection.

    6. Select Mark this key as exportable.

    7. Click Next.

    8. Select Place all certificates in the following store, click Browse > Personal > OK.

    9. Click Next.

    10. Click Finish.