How to integrate RSA hardware token SID700 with Swift alliance application
After you decrypting the hardware token and uploading it to the authentication manager, now the next task is integrating it with swift web application. Swift is a most critical application in banking industry and using this bank can send dollar to each other, talk to each other as well. This is the applicaiton which was compromised by North Corean APT group Lazarus in the year of 2016 in Bangladesh Bank money heist.
Special Note: Please be noted that, I am unable to show you the exact swift and rsa configuration because I had done that on customer premise and this is related to their privacy. But I will guide you wth exact process that I followed there. I am mimicking the customer environment with our lab.
Now let’s write the key points that we will be doing next for integration.
- Create user in RSA AM and assign hardware token.
- Configure radius authentication server groups in swift application using LSO and RSO account in swift.
- Create radius client for swift in RSA AM.
- Allow udp port 1812 and 1645 from swift system to RSA AM.
- Make sure swift and RSA both configured to the same ntp server and their time synchronization is ok.
- Configure the rest from SSC portal.
Create user in RSA AM and assign hardware token.
Set the password, uncheck the box and click on Save.
The user has been created successfully.
Now click the down arrow beside the user and click on Assign More… just below the SecurID Tokens. See below image.
If you uploaded the hardware token previously, then you should see all your available tokens just like the above image. Please knock me personally if you don’t know how to import hardware or software tokens in RSA AM. Now select the token and click on Assign.
The token has been assigned successfully. Now give that corresponding hardware token device to that respective user.
Now let’s see how to configure radius authentication server group in swift application using LSO and RSO account in swift.
You need to follow the below rsa documentation regarding swift configuration.
Here are the key steps:
- Login to the swift application using LSO — left security officier account. Go to User Management > Authentication Server Groups.
- Click Add new (something like this)
This is from the LSO account ok? Under the Primary Server section, Host address is the RSA primary server address. You can put here the dns name (if dns traffic is allowed from swift to AD) or ip address of the RSA AM. You need to do it from Future Configuration section. You are not allowed to edit Current Configuration area. At the time of first configuration, you should put everything in Future Configuration section and Current configuration will be empty. Once you save it and come back here later, then you should see the Current Configuration section is filled with same information as like your Future Configuration.
Now in Future Configuration section put the left key which has to be 16 characters long. And please note, it should not be very complex. If it is very complexly set, then RSA AM failed to decrypt the radius request. You can use one uppercase letter, 1 special character, number and lowercase letters. i.e. Rsasupport@12345
Port number should be 1812. Do the same on the Secondary Server section. Left key should be same. Host Address should be your Replica Authentication manager ip or dns hostname.
Now click save or next. Please remember RSO account now need to accept whatever task has done by the LSO account.
Now log out from LSO account and login to the swift app using RSO account. You need to approve now. I forgot from where actually. The swift team can help you.
Now again go to User Management > Authentication Server Groups. Click add new.
Configure the same thing. Except this time Key right will be different. i.e. Rsasupport@54321
Rest will be all same. Now again log off from RSO and log back in with LSO to approve whatever task is done by RSO. Save it. No need to restart anything in swift application.
Now we need to create radius client for swift in RSA AM
This is your swift server ip. Lot of people face hard time to understand this who is our radius client? and who is radius server? Your RSA AM has in-built radius in it so RSA AM is your radius server. And from where the radius request comes, is your radius client which is here in the swift application. This 10.10.11.200 is your swift app ip as redius client. Click on Save & Create Associated RSA Agent. Most important thing, In the Shared Secret box, you need to combine left key followed by right key which is in total 32 characters long.
You must click Save here. Lot of people do mistakes here thinking that their associated rsa agent has been added. But actually not. As a result radius client (swift app) will not be able to send request to RSA AM. So click Save. If you forget this then you need to go to Access > Authentication Agent > Add New to add the primary swift as authentication agent.
This is normal. Click Yes, Save Agent.
Now we will configure the rest from SSC portal. Go to this link:
https://2fa-pri.gbpl.local/ssc (For your case the link will be different)
From the drop down, select Passcode.
Now put 6 digit code from your hardware token that is already assigned and given to you. Then click Log On.
Now you will be asked to set a new pin and next tokencode. You need to wait for 1 minute to show up the next tokencode. If you use the same tokencode that you used previous step, then it will not work. Click OK.
Now click here the test link.
Now put pin + tokencode (new tokencode, not the one which is already used) which is passcode. Then click on Test.
As you can see that the test authentication successful. Now go to your swift application login page. Login via LSO account. Find the OTPTEST1 user and change the radius server (this will tell the user which radius server it should use if you have multiple radius server configured) and authentication method which should be radius (something like radius, exact I can’t remember). Log off and login via RSO account to approve the changes under that user setting.
Now go to your swift application login page again. Provide username as OTPTEST1 and in the password field, put pin + tokencode which is passcode. Hope you should successfully login.
Now what if the OTPTEST1 user forgot to bring his/her hardware token device at their home or lost it?
In this case, there are 3 things you can do.
- Using the LSO or RSO account, enable OTPTEST1 local user account from swift. This will allow the user to login from swift’s local account. LSO RSO approval may required.
- Assign a new hardware token device to that user (remove/unassign previous one) and configure it by following the same way that I showed above.
- Assign fixed passcode to that OTPTEST1 user. Let’s describe this one.
From the security console go to, Identity > Users > Manage Existing. Click on the down arrow beside the OTPTEST1 user.
Check the box — Allow authentication with a fixed passcode. We have set passcode as 12345678 for testing. Now save it.
Now go to the following link again. https://2fa-pri.gbpl.local/ssc (In your case this url will be different)
Put 12345678 here. Now it will ask you to change this.
Set a new passcode as 87654321 and click OK.
Now it is all set. Now go to your swift application login page. Provide username as OTPTEST1 and in the password field, put 87654321 which is passcode. Hope you should successfully login.
Another thing is, If admin assign hardware token against a username, then in the swift login page they can access the portal by providing username and only 6 digit hardware token code. Fix passcode is only required if user lost or forgot to bring the hardware token device with him/her in the office. And for more security, we should always go for pin + tokencode option which is passcode authentication method that I already showed you above.
Now another usecase. What if user forgot his/her pin? Or a user is already using a hardware token, now that user leaves; you need to assign that same hardware token to other user with new pin. How?
To solve this, follow below.
After logging in, navigate to Identity>Users>Manage Existing then click on search to populate all the internal database users (assuming you did not configure AD for users synchronization)
Click the drop down black icon beside the user whose pin you want to reset then click on SecurID Tokens.
Click here to clear the securid pin.
You can see that pin clear is done.
Now open another browser and navigate to https://example.com/ssc self-service portal. Please put correct url. Provide the correct username (the user whose pin you just cleared) and click ok.
From the drop down, select passcode instead of password. Click Log On.
Provide the 6 digit tokencode that is showing on the sid700 hardware token that has already assigned to this user. Click Log On.
Now set the new pin and provide new 6 digit tokencode from the sid700 device. Not the previous one that you just used while ago. Click OK.
Now you will be landed in this page. Click on test.
Now provide user id and pin+tokencode (total 10 digit) in the passcode field.
Successful. Now go to the swift portal to log in.
Thanks. I hope this will help you a lot. Kindly consider subscribe.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube: