Background of amsecuridd helper deamon

Access Manager SecurID authentication client is implemented using RSA’s ACE/Client API and a helper written in C will communicate between Access Manager SecurId module and the SecurId server

Access Manager SecurId module invokes amsecuridd deamon by opening a socket to localhost:57943 to listent for securid authentication requests. port 57943 is the default port number, if this port number is already occupied different port number can be specified for the SecurID Helper Authentication Port attribute in SecurId service configuration.

The interface to amsecuridd is cleartext through stdin. that’s why only localhost connections are permitted to this service. the “backend” of this routine uses the SecurID remote API (v5.\*), which does the appropriate encryption of sensitive data.

amsecuridd helper listens on another port to receive its configuration information. by default on the port 58943. if this port is occupied, you can run it on different port, by changing the securid service properties through Access Manager Console For each organization/realm that communicates with a different ACE/Server (which has a different sdconf.rec file), a separate instance of SecurID helper should be run.

How to run amsecuridd helper

This deamon can be invoked in two ways,

  • Manual invocation
  • Using amserver wrapper script

    Starting it manually

    amsecuridd requires the following shared libararies
    libaceclnt.so =>         /opt/SUNWam/lib/libaceclnt.so
    libsocket.so.1 =>        /lib/libsocket.so.1
    libnsl.so.1 =>   /lib/libnsl.so.1
    libthread.so.1 =>        /lib/libthread.so.1
    libc.so.1 =>     /lib/libc.so.1
    libpthread.so.1 =>       /lib/libpthread.so.1
    libmp.so.2 =>    /lib/libmp.so.2
    libmd5.so.1 =>   /lib/libmd5.so.1
    libscf.so.1 =>   /lib/libscf.so.1
    libdoor.so.1 =>  /lib/libdoor.so.1
    libuutil.so.1 =>         /lib/libuutil.so.1
    libm.so.2 =>     /lib/libm.so.2
    /platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1
    /platform/SUNW,Sun-Fire-480R/lib/libmd5_psr.so.1
    Most of them can be found in OS.
    you need to set LD_LIBRARY_PATH to //SUNWam/lib/ to find libaceclnt.so
    amsecuridd: Usage [-v] [-c portnum]
    [-v] turn on verbose mode; you need to create the debug file by
    touch /var/opt/SUNWam/debug/securid_client.debug
    [-c portnum]  config listening port number; default 58943.

    Starting amsecuridd using amserver script

    The amserver script can be found in the /SUNWam/bin/ directory
    /opt/SUNWam/bin/amserver start
    stopping auth helpers ...
    done.
    starting auth helpers ...
    done.
    verify the process has been started
    ps -ef | grep amsecuridd
    root 1725 1 0 10:26:49 pts/3 0:00 /opt/SUNWam/share/bin/amsecuridd -c 58943

    How to disable the amsecuridd deamon from being started

    if you dont want the amsecuridd deamon started everytime when amserver start is issued do the following Remove the securid from following property from AMConfig.properties com.iplanet.am.daemons
    for eg: out of box this property will look like this
    com.iplanet.am.daemons=unix securid
    after disabling securid
    com.iplanet.am.daemons=unix

    Limitations

    SecurId Authentication module is supported only on Solaris Sparc hosts, it is not supported on Solaris x86 and Linux

    Troubleshooting SecurID Authentication

    Make sure the amsecuridd deamon is running in verbose mode if not restart it with -v option. then follow these steps on the server where the amsecuridd is running
    telnet localhost 58943
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '\^]'.
    Enter SecurID Helper Listen Port [57943]:
    Enter SecurID Helper Session Timeout [5]:
    Enter SecurID Helper Max Sessions [5]:
    Enter Config Path for Server [/opt/ace/data]: /var/tmp/ace.iramya
    get_config_info: amsecuridd configured successfully
    Connection closed by foreign host.
    telnet localhost 57943
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '\^]'.
    Enter SecurID login: fob56
    Enter passcode: 06457646
    System generated PIN? (y/n): n
    Enter new PIN, containing 4 to 8 digits: 1234
    Wait for the code on your token to change, then connect again with the new
    PIN
    Connection closed by foreign host.
    telnet localhost 57943
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '\^]'.
    Enter SecurID login: fob56
    Enter passcode: 123418924721
    Authentication passed
    Connection closed by foreign host.
    The dialog session may be different based on your securid card configuration
    You can find more details about the client communication with ACE server in the /var/opt/SUNWam/debug/securid_client.debug file
    The passcode is computed like this: your PIN for the fob + the digits displayed on the fob
    for example if your fob displayed 18924721 and your PIN for the fob(securid card) is: 1234
    then the passcode will be: 123418924721
    if the above step works fine then it is the problem in the Access Manager SecurId atuhentication configuration. Run the server in debug mode
    In AM 7.0+ you can dynamically enable debug mode by following these steps
    Login as amadmin (or top level admin user) to Access Manager Console
    Access ://server:port//Debug.jsp?category=AUTHENTICATION&level=3
    Try to look into amAuthSecurID file

    Advertisements