You can set up your environment to require that users log in with an RSA SecurID token. SecurID setup is supported only from the command line.

See the two vSphere Blog posts about RSA SecurID setup for details.

Note: RSA Authentication Manager requires that the user ID is a unique identifier that uses 1 to 255 ASCII characters. The characters ampersand (&), percent (%), greater than (>), less than (<), and single quote (`) are not allowed.

Prerequisites

  • When configuring RSA SecurID, vCenter Single Sign-On (SSO) supports the use of User Principal Name (userPrincipalName attribute) as the user ID only when Integrated Windows Authentication (IWA) is configured as an identity source for RSA users.
  • Verify that your environment uses Platform Services Controller version 6.5 or later, and that you use vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart card authentication, but the setup procedure is different.
  • Verify that your environment has a correctly configured RSA Authentication Manager and that users have RSA tokens. RSA Authentication Manager version 8.0 or later is required.
  • Verify that the identity source that RSA Manager uses has been added to vCenter Single Sign-On. See Add or Edit a vCenter Single Sign-On Identity Source.
  • Verify that the RSA Authentication Manager system can resolve the Platform Services Controller host name, and that the Platform Services Controller system can resolve the RSA Authentication Manager host name.
  • Export the sdconf.rec file from the RSA Manager by selecting Access > Authentication Agents > Generate configuration file. Decompress the resulting AM_Config.zip file to find the sdconf.rec file.
  • Copy the sdconf.rec file to the Platform Services Controller node.

Procedure

  1. Change to the directory where the sso-config script is located.
    Option Description
    Windows C:\Program Files\VMware\VCenter server\VMware Identity Services
    Appliance /opt/vmware/bin
  2. To enable RSA SecurID authentication, run the following command. 
    sso-config.[sh|bat]  -t tenantName  -set_authn_policy -securIDAuthn true
    tenantName is the name of the vCenter Single Sign-On domain, vsphere.local by default.
  3. (Optional) To disable other authentication methods, run the following command. 
    sso-config.sh -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local
  4. To configure the environment so that the tenant at the current site uses the RSA site, run the following command. 
    sso-config.[sh|bat] -set_rsa_site [-t tenantName] [-siteID Location] [-agentName Name] [-sdConfFile Path]
    For example: 
    sso-config.sh -set_rsa_site -agentName SSO_RSA_AUTHSDK_AGENT -sdConfFile /tmp/sdconf.rec
    You can specify the following options.
    Option Description
    siteID Optional Platform Services Controller site ID. Platform Services Controller supports one RSA Authentication Manager instance or cluster per site. If you do not explicitly specify this option, the RSA configuration is for the current Platform Services Controller site. Use this option only if you are adding a different site.
    agentName Defined in RSA Authentication Manager.
    sdConfFile Copy of the sdconf.rec file that was downloaded from RSA Manager and includes configuration information for the RSA Manager, such as the IP address.
  5. (Optional) To change the tenant configuration to nondefault values, run the following command. 
    sso-config.[sh|bat] -set_rsa_config [-t tenantName] [-logLevel Level] [-logFileSize Size] [-maxLogFileCount Count] [-connTimeOut Seconds] [-readTimeOut Seconds] [-encAlgList Alg1,Alg2,...]
    The default is usually appropriate, for example: 
    sso-config.sh -set_rsa_config -t vsphere.local -logLevel DEBUG
  6. (Optional) If your identity source is not using the User Principal Name as the user ID, set up the identity source userID attribute. (Supported with Active Directory over LDAP identity sources only.)

    The userID attribute determines which LDAP attribute is used as the RSA userID. 

    sso-config.[sh|bat] -set_rsa_userid_attr_map [-t tenantName] [-idsName Name] [-ldapAttr AttrName] [-siteID Location]
    For example: 
    sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName ssolabs.com -ldapAttr userPrincipalName
  7. To display the current settings, run the following command. 
    sso-config.sh -t tenantName -get_rsa_config

Results

If user name and password authentication is disabled and RSA authentication is enabled, users must log in with their user name and RSA token. User name and password login is no longer possible.

Note: Use the user name format userID@domainName or userID@domain_upn_suffix.