The VMS Authentication Module (VAM) provides users of OpenVMS systems controlled access to both user-written applications and the OpenVMS system overall using SecurID. It can be incorporated into an OpenVMS-based platform in two ways:
• Via an API that the user incorporates into a specific application to control access to that application. The VAM API is described in detail in chapter 6, "Using the VAM API".
• On a system-wide basis via use of the LGI callouts for OpenVMS LOGINOUT.EXE.
SSH logins are not affected by the VAM LGI callouts.
The system console (OPA0:) is never required to use the LDAP LGI Callout interface, in order to prevent being locked-out of the system in the event of a network failure that prevents the VMS system from talking with the SecurID RSA Authentication Manager system(s).
The following sections describe the post-installation setup required to enable SecurID authentication. The VAM SecurID support must be configured for both the callable module (API) and LOGINOUT (LGI) callout support.
The SDCONF.REC file must be obtained from the ACE/Server system or from another VMS system running VAM. This file is to be copied to the <install_device>:[VAM] directory. This is a binary file, so it must be transferred via ftp in binary mode from a non-VMS system.
When configuring the OpenVMS system as an agent host in the RSA Authentication Manager, the system must be described as a "UNIX AGENT"
VAM may be incorporated into the OpenVMS login mechanism to control access to the entire system. VAM provides an OpenVMS shareable image, which the system manager can incorporate, using supported OpenVMS mechanisms, into the OpenVMS LOGINOUT mechanism. This image uses the SecurID protocols to supplement the standard OpenVMS login processing and provides the necessary user authentication to access the system as part of the login process.
Note! This section assumes the user has basic knowledge of how SecurID authentication works.
The following example shows a login to a system for a user that has not yet established a PIN
$ SET HOST VOODOO
Welcome to OpenVMS (TM) IA64 Operating System, Version V8.2-1
Username: johndoe
Enter PASSCODE:
You must select a new PIN.
Do you want the system to generate
your new PIN? (y/n) [n] n
Enter a new PIN between 4 and 8 alphanumeric
characters:
Re-enter new PIN to confirm:
PIN accepted. Wait for the tokencode to
change, then enter a new PASSCODE:
PASSCODE accepted.
Welcome to OpenVMS IA64 V8.2-1
Last interactive login on Monday, 23-JAN-2006 12:04:50.21
Last non-interactive login on Friday, 2-DEC-2005 07:33:34.74
You have 1 new Mail message.
VOODOO_$
The system manager configures the system to use the LGI callouts. This may be done in two ways:
• Set the configuration keyword REQUIRE_SECURID. If set, all users are required to attempt SecurID authentication.
• Add the rights identifier VAM_LGI_SECURID to the system rights database. This identifier may then be granted to those users that will be required to use SecurID authentication.
The following keywords are used to configure SecurID for VAM. These keywords are set in VAM:VAM_CONFIG.DAT.
ALLOW_DECNET_LOGIN
If set to a non-zero value, determines DECnet CTERM (RTAnn:) devices are required log in using SecurID
ALLOW_DECTERM_LOGIN
If set to a non-zero value, determines that DECterm (FTAnn:) devices are required log in using SecurID
REQUIRE_SECURID
When set, all users will be required to attempt SecurID authentication.
SECURID_HONOR_VMS_MODALS
If this keyword is set to 1, the VMS login modals (e.g., allowed login date and times) will be honored. By default, the modals as defined by the ACE server are used
The following logical names are used to configure SecurID access for VAM. These may be found in VAM:VAM_SPECIFIC_STARTUP.COM.
This logical name is used to determine the level of detail in the SecurID logfile. This is a number from 1 to 65535, where 1 is the lowest level of tracing. This logical should never normally be defined, as it can have a severe impact on performance.
RSATRACEDEST
This logical defines the location and name of the SecurID log file. If this isn’t defined, output will go to the user’s terminal.
The following files, used by SecurID processing, are found in the VAM directory. They should not normally be manipulated by the system manager:
SDSTATUS.12
This file is used by SecurID to keep track of the status of the RSA Authentication Manager servers and replicas. Each time a successful connection is made to a SecurID server, this file is rewritten.
SECURID.
This is the SecurID "node secret" file. It’s created after the first successful SecurID session.
