Create a new credential type of RSA SecureID

Would you need a password field as well?

Regards

Hi David
thanks for your quick reply.
A username and passcode field would suffice. RSA is using the term passcode to differentiate between that an a password. And the passcode it its turn consists of a static PIN + 6-digit number from the keyfob that changes every 60 seconds.
I've attached 2 images with examples from CyberArk: the first one is the CyberArk website asking for MFA , the second one is the CyberArk PSM server (Windows server) with RSA SecureID authenticator that lets me login with my vault username (= RSA username) and password (= RSA passcode).
But also our F5 VPN is using MFA using the RSA SecureID, and other (often web applications) do this as well..

Hi all, is there any progress in this?

Note that a similar question was also asked in the following post 1955 and 32803:
https://forum.devolutions.net/topics/1955/passwords-and-rsatokens
https://forum.devolutions.net/topics/32803/enhance-cyberark-credential-entry-to-work-with-rsa-token-id

Note that it would be a credential type that should exist of at least a user name, but doesn't need to have a (stored) password part, since it needs to be asked every time.
Note that in post 1955 above the original requester asked for username + password, where the password was to be stored and reused as the beginning.
that is: because a complete RSA token code exists of a personal PIN directly appended with the temporary code on the device. We're required to enter them both, but because the PIN is static the requester in post 1955 liked to store the personal PIN in the database as well. so for us the PIN is optional.

And i really have the impression more and more usage possibilities would arise.
like the post 28273 on https://forum.devolutions.net/topics/28273/add-rsa-securid-to-2factor-authentication#134355 where the same RSA token can hopefully also be used as an MFA authenticator to protect the datastore with 'two factor' note that in this case the RSA server internally can be configured with Radius authentication to provide the authentication part of the two-factor.

Note that I'd be happy to provide more information or online demo to discuss/show more details when needed.

Hello Ben,

We haven't started work on this yet. From what I understand, what you would want is an entry that contains two fields. A username (required) and a password (optional). When using this entry as a credential, it would fill the username, and for the password field, it would pre-fill a prompt with the password if entered, and you would need to write your PIN afterwards. Is this right, or am I misunderstanding your use case?
If the PIN would need to fill a third field separate from the password, we would need to support this on a case-by-case basis, so it would be helpful to know exactly in which types of entries you would like to use this, and how.

Regards,

Hi Hubert

Yes it is like you describe it.  2 fields.  Could be: username  and  password  as long as the password is (always) asked.

We have a RSA keyfob as depicted in the wiki: https://en.wikipedia.org/wiki/RSA_SecurID

This is a display that changes every 30 seconds (on a soft-token in my phone) / 60 seconds (on a hard-token as shown in the pictures on that wiki).

If we logon to any RSA enabled application we always have to provide:

1. a user name
2. a token code consisting of :
   1. a PIN   and
   2. the current 6-digit code from the keyfob above.

So that would be 3 pieces of information, but as soon as RDM uses it as credential they would be 2

The username (1.) is static (for me) thus can be stored in my private vault. 
The token (2.) code has a static part (my personal PIN) (2a.)  and a dynamic part (2b.).
The static part:  I've seen another thread here in the forum https://forum.devolutions.net/topics/1955/passwords-and-rsatokens  where the requester also wants this personal PIN to be pre-populated.  That is not required by us (even : forbidden for us), but since other people want it, you may want to make that optional to save it.
The dynamic part (2b.) changes ever 30 sec thus ALWAYS needs to be prompted.


I've been playing with the OTP type to see if it matches our requirement, but:,
The existing OTP type needs to be configured with a key (?) and that seems to generate a OTP itself, does it?  We cannot have 'others' 
generate the OTP since we have to retype it during each use.   it is a MFA  entry of course...

I've also been playing with a standard username / password entry type including: always prompt for password, but that seems to ask ALL information, including the already provided username.

I'd like to use it for the following connection types:

1. RDP
2. websites
3. MFA on the RDM datasource connection itself  (would be nice to have, not requirement yet)

Oh yes, and if you want to reuse code:
Do you have a Microsoft / Google or other authenticator app on your phone? That is now working quite similar, thus can ALSO be used the same way. It shows a temporary code to type, and can also use a username like your google email address as username.
The only difference would be that the RSA token code consists of a personal PIN + the code on your screen, while the Google authenticator app would only use the code on your screen.

Regards, Ben

Hello Ben,

Thank you for the detailed explanation! For RDP and websites, would it enter the token in the 'password' field or in a separate field like an OTP? If it's directly in the password field, this is easier than expected and we could do this quickly. If it would be in a separate field, we would have to spend more time thinking about how we could properly implement this.

For entering the MFA on a datasource's MFA prompt, I don't think it would be possible since to load the entries within the datasource, you would need to have entered the MFA already.

Regards,

Hi Hubert
Yes the token can be placed in the password field, although I wonder if an entry of type 'credential' would care where / how it will be used.
I've created connection entries in the past of type web http where in the Login tab - HTML Control ID I can configure in what form fields some information should go, so it is the connection entry that can steer the flow.

You're correct about the datasource MFA, it is no use to store that as an entry type in the source if it isn't open. So that would be a completely different feature request.

Regards,
Ben

Hello Ben,

The reason why I specifically mention if you'd want it to fill the password field is that with the way RDM currently works, you couldn't fill both a 'password' and an 'OTP' using the same one credential. But you're right, for the web browser / website entries, you can make the 'password' field map to any field as long as you specify its ID and RDM can find it on the page.
I've opened a ticket with all of the information you provided. We'll let you know once we have made the changes. Thanks again for helping out!

Regards,

Hello Ben,
Thank you for all the details provided. Please centralize our communications inside this thread so that our community can benefit of the communications as well and to avoid any confusion on our end.
That being said, your feature request is on our list. We should be able to start working on it in the next week or two. I’ll post back here when a version will be available with your feature.

Regards,

Hello,

@Ben05 I wanted to let you know that we will have the RSA SecurID credential available in RDM 2020.2.10.0, which is planned to be released next week.

There are two caveats.

The first is that the integration with the CyberArk credential will not be ready by then, since we will need to get their approval on the changes, as is standard with any of our integrations with them. I will let you know in this thread once we have an update on the approval status.

The second is that the way you will be able to link the RSA credential to your CyberArk credential will be somewhat limited. In the CyberArk credential, you will be able to set the mode to "custom" credentials (what is currently implemented), and the new "RSA SecurID" credentials, where you'll be able to enter the RSA SecurID information directly in the entry (username and PIN). The limitation is that you won't be able to link to an existing entry in your main vault. What you will be able to do, is in the My Account Settings for CyberArk, you can link to a private vault entry of RSA SecurID.

I hope this workflow will suit your scenario once it's fully available. If you have any additional suggestions or you can see something that wouldn't work for you right away, let me know and I'll see if I can use your suggestions to improve the integration.

Regards,

Hi Hubert,
Thanks for letting me know. I'll try to download and start testing with it as soon as I can, after that release next week,

Regarding the caveats its hard to imagine what that would look like, but I'll very likely see soon enough what it exactly means.. But since those credential types are quite personal I don't see any problem of storing those in my private vault.

Thanks, and regards, Ben van Zanten

Hi guys,

I'm testing out the RSA SecureID functionality that was recently added. Glad to see it as an option now! I'm not entirely sure how to get it set up, or how to use the credential to open other entries. Is there any documentation for it yet?

Also, there IS a way to automatically generate the correct 6-digit RSA code without needing user input. Please see this free/open software called stoken:
https://sourceforge.net/p/stoken/wiki/Home/
https://github.com/cernekee/stoken

You provide it a .stdid file, which is generated by RSA software and provided to end users, which they use to set up the RSA software in their phone. If this technology could be implemented into RDM, you could just have a field where you provide the stdid file, and then potentially just prompt the user for the 4 digit PIN when connecting using the RSA credentials.

Any chance at getting this added to enhance the RSA credentials?

Thank you,
Erik

Hi Erik.
The Credential of type RSA SecureID I've requested in the current thread is to be treated as an passcode "consumer" (my physical RSA token fob generates it, or my smartphone generates it using the RSA SoftToken software on my phone) - requiring us to have additional authenticators, other than what is already present on the machine, your request would make it a passcode "generator" (and there is already something like that in RDM, the OTP credentials).
I'm trying to use this 'consumer' in other Credential type such as the 'RADIUS' authenticator in 'CyberArk' credential types (which is not working yet), or to use dual factor to login into RSA tokenid protected websites such as the CyberArk PVWA website. I AM currently able to do that (using web entry to CyberArk PVWA, a credential of type RSA SecureID token, and typing macro in the post-connect event).

I'm afraid that if your request is implemented, for our security department the RSA token won't be seen as a real 'Multi Factor' anymore, since currently the RSA token is stored on a physical FOB, or in our mobile phone. If the code is inserted into RDM itself, it wouldn't be seen as an additional or 'external' factor by our security organisation ;-)
even still, I'm interested in all possibilities with relation to this.

Regards, Ben

Hello,

Thanks for the explanation, Ben 🙂

As for implementing something like this, it's interesting, but we wouldn't be able to specifically use stoken as it is under the LGPL license.
We'll keep this in mind though, and I encourage our community to let us know if they would like this feature added to RDM.

Regards,

Can you tell me step by step how to find the RSA entry? I've been searching through the properties fields of my session and can't find it mentioned anywhere. On version 2020.3.18.0.


Hello,

@Ben05 I wanted to let you know that we will have the RSA SecurID credential available in RDM 2020.2.10.0, which is planned to be released next week.

There are two caveats.

The first is that the integration with the CyberArk credential will not be ready by then, since we will need to get their approval on the changes, as is standard with any of our integrations with them. I will let you know in this thread once we have an update on the approval status.

The second is that the way you will be able to link the RSA credential to your CyberArk credential will be somewhat limited. In the CyberArk credential, you will be able to set the mode to "custom" credentials (what is currently implemented), and the new "RSA SecurID" credentials, where you'll be able to enter the RSA SecurID information directly in the entry (username and PIN). The limitation is that you won't be able to link to an existing entry in your main vault. What you will be able to do, is in the My Account Settings for CyberArk, you can link to a private vault entry of RSA SecurID.

I hope this workflow will suit your scenario once it's fully available. If you have any additional suggestions or you can see something that wouldn't work for you right away, let me know and I'll see if I can use your suggestions to improve the integration.

Regards,

Hello,

This entry is available in the Credential Entry Type -> RSA SecurID.
It is available RDM Enterprise.

Best regards,

How we use the RSA SecureID token for CyberArk PSM credentials:

1. in File - "My Account Settings" find below the 'Settings' the RSA SecurID entry, edit this one
   • 
     
   • 
   • Fill in your username, and optionally your RSA SecurID PIN code.
   • We don't fill in the PIN code here.... upon use, the RSA SecureID entry will allways ask for the current token code (see below), and append it to the PIN code. this works very good, but we now have a 'newer version' of the RSA SecureID application on our phone that uses 'push to approve' thus we only provide the PIN code when the entry is USED, not when it is stored.
   • 

2.In the same page: File - My Account Settings - My Personal Credentials

• Configure : Enable: Use "My account settings"
• select the RSA SecureID
• 

3.now the CyberArk PSM entries:

• For CyberArk PSM entries you must create (or edit existing if you already made it) a Template.
• File - Templates - manage.
• create or edit an RDP entry type for CyberArk PSM
  • configure the credentials: My personal Credentials
  • 
  • then you can close the 'Templates' tab.

4.Then create (or edit existing) a CyberArk PSM Server connection.

• Connection mode: AAM
• Template: choose the template you created above.
• 

5.Then create (or edit existing) CyberArk PSM entry...

• connection type: CyberArk PSM Connection (we typically create this as a sub-entry below an RDP entry)
• not very special settings here...
• 

6.That's it for configuration! upon use of the CyberArk PSM credential we're asked for the CyberArk PIN and /or token and then connect.
Note that the 'OK' button won't be available until you type at least 1 char for the code. RDM will append this code to the previously entered PIN.


Success!
Ben van Zanten