You can set up your environment to require that users log in with an RSA SecurID token. SecurID setup is supported only from the command line.
Before you begin
Verify that your environment uses Platform Services Controller version 6.5, and that you use vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart card authentication, but the setup procedure is different.
Verify that your environment has a correctly configured RSA Authentication Manager and that users have RSA tokens. RSA Authentication Manager version 8.0 or later is required.
Verify that the identity source that RSA Manager uses has been added to vCenter Single Sign-On. See Add a vCenter Single Sign-On Identity Source.
Verify that the RSA Authentication Manager system can resolve the Platform Services Controller host name, and that the Platform Services Controller system can resolve the RSA Authentication Manager host name.
Export the sdconf.rec file from the RSA Manager by selecting . Decompress the resulting AM_Config.zip file to find the sdconf.rec file.
Copy the sdconf.rec file to the Platform Services Controller node.
About this task
See the two vSphere Blog posts about RSA SecurID setup for details.
RSA Authentication Manager requires that the user ID is a unique identifier that uses 1 to 255 ASCII characters. The characters ampersand (&), percent (%), greater than (>), less than (<), and single quote (`) are not allowed.
- Change to the directory where the sso-config script is located.
C:\Program Files\VMware\VCenter server\VMware Identity Services
- To enable RSA SecurID authentication, run the following command.
sso-config.[sh|bat] -t tenantName -set_authn_policy –securIDAuthn true
tenantName is the name of the vCenter Single Sign-On domain, vsphere.local by default.
- (Optional) : To disable other authentication methods, run the following command.
sso-config.sh -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local
- To configure the environment so that the tenant at the current site uses the RSA site, run the following command.
sso-config.[sh|bat] -set_rsa_site [-t tenantName] [-siteID Location] [-agentName Name] [-sdConfFile Path]
sso-config.sh -set_rsa_site -agentName SSO_RSA_AUTHSDK_AGENT -sdConfFile /tmp/sdconf.rec
You can specify the following options.
Optional Platform Services Controller site ID. Platform Services Controller supports one RSA Authentication Manager instance or cluster per site. If you do not explicitly specify this option, the RSA configuration is for the current Platform Services Controller site. Use this option only if you are adding a different site.
Defined in RSA Authentication Manager.
Copy of the sdconf.rec file that was downloaded from RSA Manager and includes configuration information for the RSA Manager, such as the IP address.
- (Optional) : To change the tenant configuration to nondefault values, run the following command.
sso-config.[sh|bat] -set_rsa_config [-t tenantName] [-logLevel Level] [-logFileSize Size] [-maxLogFileCount Count] [-connTimeOut Seconds] [-readTimeOut Seconds] [-encAlgList Alg1,Alg2,...]
The default is usually appropriate, for example:
sso-config.sh -set_rsa_config -t vsphere.local -logLevel DEBUG
- (Optional) : If your identity source is not using the User Principal Name as the user ID, set up the identity source userID attribute.
The userID attribute determines which LDAP attribute is used as the RSA userID.
sso-config.[sh|bat] -set_rsa_userid_attr_map [-t tenantName] [-idsName Name] [-ldapAttr AttrName] [-siteID Location]
sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName ssolabs.com -ldapAttr userPrincipalName
- To display the current settings, run the following command.
sso-config.sh -t tenantName -get_rsa_config
If user name and password authentication is disabled and RSA authentication is enabled, users must log in with their user name and RSA token. User name and password login is no longer possible.
Use the user name format userID@domainName or userID@domain_upn_suffix.