RSA Authentication Manager 7.1 on unsupported CentOS 6.3 64 bits + Radius server
I will go quickly for this one, don’t expect pictures or detailed help.
This is an unsupported install, as RSA still only support Centos 4 or CentOs 5 with 32 bits. CRAP !
My install will give you a fully functional Auth Manager 7.1 with the radius server.
I also migrated from an old 7.0 install.
First, install your CentOs 6.x (6.2 from my template then update to 6.3 as of this writing).
Then install A LOT of dependencies, some are 32 bits….
yum install bc gcc atk glibc glibc-devel glibc-headers kernel-headers libaio libart_lgpl libgomp libwnck libXp pango openmotif glibc.i686 glibc.x86_64 glibc-devel.i686 glibc-devel.x86_64 glibc-headers.x86_64 ksh libXp.i686 libXp.x86_64 libXp-devel.i686 libXt.i686 libXt.x86_64 libXt-devel.i686 libXtst.i686 libXtst.x86_64 libXtst-devel.i686 libgcc.i686 libgcc.x86_64 libstdc++.i686 libstdc++.x86_64 ncompress compat-libstdc++-296 compat-libstdc++-33.i686 compat-libstdc++-33.x86_64 compat-openldap.i686 compat-openldap.x86_64 compat-db.i686 compat-db.x86_64 libstdc++-devel.i686 make libdbi-devel.i686 libdbi-drivers.x86_64 libdbi.i686 libdbi.x86_64 libavc1394-devel.i686 libavc1394-devel.x86_64 libavc1394.i686 libavc1394.x86_64 libaio.i686 libaio.x86_64 libaio-devel.i686 libaio-devel.x86_64 glibc-common.x86_64 compat-glibc.x86_64 glibc.i686 glibc.x86_64 glibc-devel.i686 glibc-devel.x86_64 glibc-headers.x86_64 glibc-utils.x86_64 kernel-headers.x86_64 gsl.i686 gsl.x86_64 gtkspell.x86_64 gtkspell.i686 kdelibs.i686 kdelibs.x86_64 libgnome.i686 control-center-devel.i686control-center-filesystem.i686 control-center.i686 control-center.x86_64
22.214.171.124 hostname hostname.example.com
Then add to /etc/services :
## Start RSA Auth Mgr ## securid 5500/udp securidprop_00 5505/tcp securidprop_01 5506/tcp securidprop_02 5507/tcp securidprop_03 5508/tcp securidprop_04 5509/tcp securidprop_05 5510/tcp securidprop_06 5511/tcp securidprop_07 5512/tcp securidprop_08 5513/tcp securidprop_09 5514/tcp securidprop_10 5515/tcp sdlog 5520/tcp sdserv 5530/tcp sdreport 5540/tcp sdadmind 5550/tcp sdlockmgr 5560/tcp sdcommd 5570/tcp sdoad 5580/tcp ## End RSA Auth Mgr ##
Then you have to fake the Os Version. Replace the content of /etc/redhat-release with this command :
echo "Red Hat Enterprise Linux AS release 4 (Nahant)" > /etc/redhat-release
Then you can start installing from the 6094A0.iso file you downloaded from RSA website (this is the full package install) :
mkdir /opt/rsa /opt/rsa/src
mount -o loop /opt/rsa/src/6094A0.iso /mnt
groupadd --gid 500 rsa
useradd --home-dir /opt/rsa --comment "rsa user for securid" --gid 500 --no-create-home --uid 500 rsa
* * * * * mv /opt/rsa/RSASecurity/RSAAuthenticationManager/radius/libfreebl3.so /opt/rsa/RSASecurity/RSAAuthenticationManager/radius/libfreebl3.so-rsa >/dev/null 2>&1
chown -R rsa:rsa /opt/rsa
These are my answers :
IP address [10.10.10.10]
su - rsa
./rsautil manage-backups --action export -f /opt/rsa/backup-20120808.dmp
./rsautil setup-replication -a remove-primary
./rsautil manage-backups -a import -D -V -f /tmp/backup-old-server-2012080801.dmp
./rsautil setup-replication -a set-primary
Use the master login/password you defined previously. Go to the Deployment configuration -> RADIUS
You will be prompted for an admin account. Use the one from the old server (that can be your own personal account, not admin).
From there, delete every RADIUS server as you will use the new local one only. Deleting them can take some time… be patient.
Once done, configure a new one. Use the same shared secret as the previous server and give the master password + user account. This will again take some time and should result in the creation of your new radius server.
Stop/Start the server :
/etc/init.d/rsaauthmgr stop ; sleep 10 ; /etc/init.d/rsaauthmgr start
If done, go to the Security Console at https://my.new.server.com:7004/console-ims/
Login with an admin account. If your account previously used a SecurID token, use it.
Once in there, you will have to re-create the Agent config and Contact List config. This is the most strange part…
Go to the menu Access -> Authentication Agent -> Manage existing.
If one is already there, delete it and re-create it with the new server name. Agent type must be RADIUS server. Authentication Manager Contact List should stay as automatic, even if not well defined.
Then go to menu Access -> Authentication Agent -> Authentication Manager Contact List -> Manage Existing
Go and edit the one entry set as automatic (also edit the others the same way if you have many)
Be sure to add your new server in the server node list at the back.
Once done, use the menu to rebalance accounts : Access -> Authentication Agent -> Authentication Manager Contact List -> Automatic Rebalance
Once done, if without error, go to you shell as root and reconfig the radius :
./configUtil.sh configure radius finalize-radius-restore
Reboot the server and, if lucky, you’re DONE !
One way to check that up is to configure on of your box (router, switch… anything using radius) to auth on the new server. I did a tcpdump on the new server (tcpdump port 1646 or port 1813 or port 1645 or port 1812 or port 5500 or port 5550 ) to see what was going one.
If something is wrong, you will see your new server trying to reach the OLD RSA server. In this case… first cry, then scrap your new server and start over… sorry. That’s what I did MANY times….
BTW, I was able to keep SeLinux enforced and the firewall (while opening a whole bunch of ports).
Remember that this install is NOT supported by RSA. It is just working for me.