Anda di halaman 1dari 26

RSA Adaptive Authentication

(On-Premise) 7.1
Product Overview Guide
Contact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo, eFraudNetwork, BSAFE and EMC are either registered trademarks or trademarks of EMC Corporation
in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a
list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO


REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright 2013 EMC Corporation. All Rights Reserved. Published in the USA.
July 2013
RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5
RSA Adaptive Authentication (On-Premise) Documentation ............................................ 5
Support and Service ............................................................................................................ 6
Before You Call Customer Support............................................................................. 6

Chapter 1: Introduction to RSA Adaptive Authentication (On-


Premise)................................................................................................................................ 7
Components of RSA Adaptive Authentication (On-Premise) ............................................ 8
End-User Flow within RSA Adaptive Authentication........................................................ 9

Chapter 2: RSA Adaptive Authentication System Overview ..............11


Architectural Overview..................................................................................................... 12
RSA Risk Engine .............................................................................................................. 12
Policy Management........................................................................................................... 14
RSA eFraudNetwork Service............................................................................................ 15
RSA Central ...................................................................................................................... 15
External Data Provider Services ....................................................................................... 15
GeoIP Service ............................................................................................................ 15
Channel Determination Service ................................................................................. 15
Scheduler........................................................................................................................... 15
Back Office Applications.................................................................................................. 16
Access Management .................................................................................................. 16
Administration Console ............................................................................................. 16
Case Management...................................................................................................... 16
Customer Service ....................................................................................................... 16
Policy Management ................................................................................................... 17
Report Viewer............................................................................................................ 17
Case Management API...................................................................................................... 17
Network Integration .......................................................................................................... 18
RSA Adaptive Authentication Utilities............................................................................. 19
Batch Loader.............................................................................................................. 20
GeoIP Data Download ............................................................................................... 20
Aggregator Token Generator ..................................................................................... 20
Configuration Framework Utilities............................................................................ 20
RSA eFraudNetwork Agent Utility ........................................................................... 21
Encryption.................................................................................................................. 21
Diagnostics Manager ................................................................................................. 21
HealthCheckServlet ................................................................................................... 21
Log Manager Servlet ................................................................................................. 21
FIPS 140-2 Compliance .................................................................................................... 22

Chapter 3: High-Level Deployment Tasks..................................................... 23

Contents 3
RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Preface

About This Guide


This guide introduces RSA Adaptive Authentication (On-Premise) 7.1. It is intended
to provide a high-level introduction to the product and its documentation set.

RSA Adaptive Authentication (On-Premise) Documentation


For more information about RSA Adaptive Authentication (On-Premise) 7.1, see the
following documentation:
Authentication Plug-In Developers Guide. Describes the Authentication Plug-In
development process that enables external authentication providers to integrate
their products with RSA Adaptive Authentication (On-Premise).
Back Office Users Guide. Provides an overview of the following Back Office
applications: Policy Management, Case Management, Access Management,
Customer Service Administration, and the Report Viewer.
Bait Credentials Setup and Implementation Guide. Describes how to set up and
implement RSA bait credentials, which help provide you with accelerated fraud
detection and prevention capabilities.
Best Practices for Challenge Questions. Describes the best practices related to
challenge questions that RSA has evolved through experience at multiple
deployments.
Installation and Upgrade Guide. Describes detailed procedures on how to install,
upgrade, and configure RSA Adaptive Authentication (On-Premise).
Integration Guide. Describes how to integrate and deploy
RSA Adaptive Authentication (On-Premise).
Operations Guide. Provides information on how to administer and operate
RSA Adaptive Authentication (On-Premise) after upgrade. This guide also
describes how to configure Adaptive Authentication (On-Premise) within the
Configuration Framework.
Performance Guide. Provides information about performance testing and
performance test results for the current release version of RSA Adaptive
Authentication (On-Premise).
Product Overview Guide. Provides a high-level overview of RSA Adaptive
Authentication (On-Premise), including system architecture.
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. It also includes the supported
platforms and work environments for platform certifications. The latest version of
the Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.

Preface 5
Security Best Practices Guide. Provides recommendations for configuring your
network and RSA Adaptive Authentication (On-Premise) securely.
Web Services API Reference Guide. Describes RSA Adaptive Authentication
(On-Premise) web services API methods and parameters. This guide also
describes how to build your own web services clients and applications using web
services API to integrate and utilize the capabilities of Adaptive Authentication
(On-Premise).
Whats New. Highlights new features and enhancements in RSA Adaptive
Authentication (On-Premise) 7.1.
Workflows and Processes Guide. Describes the workflows and processes that
allow end users to interact with your system and that allow your system to interact
with RSA Adaptive Authentication (On-Premise).

Support and Service


RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.emc.com/support/rsa/index.htm

RSA Solution Gallery https://gallery.emc.com/community/ma


rketplace/rsa?view=overview

RSA SecurCare Online offers a knowledgebase that contains answers to common


questions and solutions to known problems. It also offers information on new releases,
important technical news, and software downloads.
The RSA Solution Gallery provides information about third-party hardware and
software products that have been certified to work with RSA products. The gallery
includes Secured by RSA Implementation Guides with step-by-step instructions and
other information about interoperation of RSA products with these third-party
products.

Before You Call Customer Support


Make sure that you have direct access to the computer running the Adaptive
Authentication (On-Premise) software.
Please have the following information available when you call:
Your RSA Customer/License ID.
Adaptive Authentication (On-Premise) software version number.
The make and model of the machine on which the problem occurs.
The name and version of the operating system under which the problem occurs.
RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

1 Introduction to RSA Adaptive


Authentication (On-Premise)
RSA Adaptive Authentication (On-Premise) is designed to be a comprehensive
authentication and fraud detection system helping to provide cost-effective protection
for an entire user base. Adaptive Authentication can help secure online portals, SSL
VPNs, and web access management portals for many different types of organizations
in the healthcare, insurance, enterprise, government, financial services, and other
industries. For more information about potential uses cases, see High-Level
Deployment Tasks on page 23.
Adaptive Authentication (On-Premise) is powered by risk-based authentication
(RBA), a risk assessment and authentication technology that operates transparently
and classifies all users by measuring a series of risk indicators. This transparent
authentication is designed to provide a convenient online experience for the majority
of users. Users are only challenged when suspicious activities are identified and an
organizational policy is violated.

1: Introduction to RSA Adaptive Authentication (On-Premise) 7


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Components of RSA Adaptive Authentication (On-Premise)


The following figure shows the components of RSA Adaptive Authentication
(On-Premise).

Risk Engine

Adaptive
Back Office eFraudNetwork
Authentication

Authentication
Methods

The various components in Adaptive Authentication (On-Premise) are:


RSA Risk Engine. Self-learning engine that evaluates each online activity in
real time, tracking over 100 indicators to help detect fraudulent activity or
intrusion. The Risk Engine generates a risk score between 0 and 1000 for each
activity. The higher the risk score or level, the greater the likelihood that an
activity is fraudulent.
RSA eFraudNetwork service. Collaboration of organizations, ISPs, and other
partners that share a data repository of suspicious identifiers with RSA. When
fraud is identified, fraud data, activity profiles, IP addresses, and information
about Device Fingerprints and payee (mule) accounts are moved to a shared data
repository.
Authentication Methods. Extra authentication methods that can be used in
addition to standard logon credentials. These additional methods include
challenge questions, knowledge-based authentication (KBA), one-time password
(OTP), out-of-band phone, out-of-band SMS, and out-of-band email.
Additionally, the RSA multi-credential framework (MCF) allows organizations to
integrate authentication methods that are developed in-house or by a third-party.

8 1: Introduction to RSA Adaptive Authentication (On-Premise)


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Back Office. Web-based Back Office applications used to manage and administer
Adaptive Authentication (On-Premise).
For more information about each component, see Chapter 2, RSA Adaptive
Authentication System Overview.

End-User Flow within RSA Adaptive Authentication


The following figure shows the secured end-user flow within RSA Adaptive
Authentication.

As shown in the preceding figure (from left to right), the following stages occur within
the flow:
1. The end user enters an application protected by Adaptive Authentication.
End users can include employees, customers, contractors, partners, administrators,
and any other members of organizations who have access to an application
secured by Adaptive Authentication. Adaptive Authentication provides protection
for the end user who enters an application using one of the following:
Website or portal.
SSL VPN applicationAn organization uses an SSL VPN to provide
employees and partners with remote access to its network inside a firewall.
Web access management application (WAM)An organization uses a WAM
application to secure access to web-enabled applications and resources.
Mobile applications and mobile browsers.

1: Introduction to RSA Adaptive Authentication (On-Premise) 9


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

ATM deviceFor information about the ATM Protection Module, see ATM
Protection Module on page 13.
2. End-user activities are profiled.
When an end user uses one of the protected entry methods, activity details are
gathered by the RSA Risk Engine for risk assessment and authentication.
Behavioral profiles, device profiles, and RSA eFraudNetwork input are correlated
into end-user profiles by the Risk Engine.
3. Risk assessment of the end user is performed behind the scenes.
Adaptive Authentication is powered by risk-based authentication technology that
conducts a behind the scenes risk assessment of all end users. Transparent
authentication helps organizations to increase security without compromising user
convenience. A unique risk score is assigned to each activity, and users are only
challenged when an activity is identified as high-risk or an organizational policy is
violated.
Based on the risk scores and other factors, the Policy Management application
creates policies and rules regarding end-user activities. Events and activities that
are suspected or confirmed fraudulent activities are flagged by the system.
4. Authentication methods are applied.
Non-flagged activities are invisibly authenticated while flagged activities lead to
further monitoring and tracking, as well as the use of additional authentication
methods including challenge questions, knowledge-based authentication (KBA),
one-time password (OTP), out-of-band phone, out-of-band SMS, out-of-band
email, or client-defined authentication methods using the multi-credential
framework.
5. Authentication results determine continuation of end-user activity and contribute
to Risk Engine assessments.
End-user activity can continue, pass, or fail depending on the success of
authentication. Failed authentication data is fed back to the Risk Engine, as is data
gathered during case management. This data collection contributes to the
ever-increasing relevance and accuracy of Risk Engine assessments.

10 1: Introduction to RSA Adaptive Authentication (On-Premise)


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

2 RSA Adaptive Authentication System


Overview
Architectural Overview
RSA Risk Engine
Policy Management
RSA eFraudNetwork Service
RSA Central
External Data Provider Services
Scheduler
Back Office Applications
Case Management API
Network Integration
RSA Adaptive Authentication Utilities
FIPS 140-2 Compliance
This chapter provides an architectural overview of RSA Adaptive Authentication
(On-Premise).

2: RSA Adaptive Authentication System Overview 11


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Architectural Overview
The following figure shows the components of RSA Adaptive Authentication
(On-Premise) and how the components interact with each other. Adaptive
Authentication (On-Premise) is made up of various types of components including
databases, applications, utilities, and agents. Outputs include logs, reports, and data
sent to RSA Central and the RSA eFraudNetwork service.

RSA Risk Engine


RSA Adaptive Authentication (On-Premise) uses the RSA Risk Engine to help detect
fraud and other forms of suspicious behavior in logon and transaction events. Your
online application sends a request for authentication (or risk analysis) to Adaptive
Authentication and Adaptive Authentication returns the results of the risk assessment
along with a recommended action.
The Risk Engine detects fraud using several methodologies:
Positive device identification. Through the use of a cookie or Flash shared object
(FSO), your system binds a user to a device. The device binding helps identify the
user as a valid user of your online application. Users who are not bound are more
likely to be challenged than authenticated, depending on the defined policy.
Risk-based methods. The Risk Engine is trained over time in the deployment
environment. The Risk Engine takes feedback from the Case Management
application and authentication methods.

12 2: RSA Adaptive Authentication System Overview


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Information Sources
The RSA Risk Engine takes information from a variety of sources, including from
your online application, and performs a risk analysis to determine how much risk an
event might contain. This information (also known as facts) includes the following:
Client machine information, such as the system language, screen resolution, and
time zone.
Browser information, such as cookies, browser language, user agent string, and
HTTP header information.
IP information, such as that which determines where an IP address is located, the
number of users seen on an IP address, and device profile (velocity).
User device history information, such as whether Adaptive Authentication has
seen the device before and whether the user's browser information changed.
User profile and behavior, such as the number of days after the last user logon and
the number of days after a password change.
Transaction information, such as specific user data, time, and payment
information.
Information about a users current DOM (Document Object Model) elements for a
specific HTML page, such as fields, JavaScript function names, and frames on the
page, used for the HTML Injection Protection feature.
Browser events that occur on an HTML page, such as keyboard strokes and mouse
movements, used for the Man vs. Machine Detection feature.
DevicePrint latency (ping time) information, such as the time taken to reach the
end users local host and the end users external IP address, used for the Proxy
Attack Protection feature.
Information about the location of the end user mobile device, such as longitude,
latitude, altitude, and speed, used for the Mobile Location Awareness feature.

ATM Protection Module


The ATM Protection Module uses detailed information about ATM-specific activities
to help detect fraudulent events.
The ATM Protection Module is designed to monitor ATM-specific activities by
collecting information about the end-user account, the current transaction, and the
location and type of ATM device. This information is passed to the RSA Risk Engine.
Based on the collected information, Adaptive Authentication assesses the risk
associated with the transaction and creates a case in Case Management accordingly.
To monitor these activities, new facts have been defined for creating policy rules in
the Policy Management application. The Case Management application is updated to
display ATM-related information.
The ATM activity details can be sent to Adaptive Authentication either via the API or
via the Batch Loader utility to process bulk information about ATM activities. For
more information about the Batch Loader utility, see the Operations Guide.
For more information about the ATM Protection Module, see the Workflows and
Processes Guide.

2: RSA Adaptive Authentication System Overview 13


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Policy Management
The Policy Management component determines what to do about potentially risky
events, based on the risk analysis. The Policy Management component is configured
by adapting the RSA Adaptive Authentication default policies to your existing
business policies.
The Policy Management component takes the information from the Risk Engine and
recommends what actions need to be taken for that given event. Adaptive
Authentication (On-Premise) returns the recommended actions to your application.
Actions may include the following:
Allow. Allows the user to access your online system (logon) or continue with the
transaction (transaction analysis or transaction monitoring).
Challenge. Challenges the user by requesting additional authentication, by way of
challenge questions or out-of-band authentication.
Deny. Denies the user access to your system (logon) or denies the transaction
event.
Review. Flags the event for review through Case Management by a fraud analyst.
This action can be a supplemental recommendation to other action types. After the
fraud analyst completes the review, the final result is sent to the Risk Engine to
improve its learning ability and fraud detection rate.
The following figure shows the interaction between the Risk Engine and the Policy
Management component.

14 2: RSA Adaptive Authentication System Overview


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

RSA eFraudNetwork Service


The RSA eFraud Network service is a collaboration of organizations, ISPs, and
feeding partners that share a data repository of suspicious identifiers with RSA.

RSA Central
RSA provides a centralized service called RSA Central that helps you access and
provide log files to RSA and pull information from reports and GeoIP data. The
service is specifically designed for receiving log files from sources, such as RSA
Adaptive Authentication (On-Premise), and for allowing you to retrieve and view
reports through the Report Viewer application. Reports are available as PDF and CSV
files.

External Data Provider Services


RSA Adaptive Authentication (On-Premise) enables dynamic update of the device
definition file in the device type detector component.
The following topics describe the external data providers. For more information, see
the Operations Guide.

GeoIP Service
The geographic IP location information (GeoIP) files used by RSA Adaptive
Authentication (On-Premise) need to be updated over time as IP addresses are moved
to different locations or ISPs.

Channel Determination Service


RSA provides updated Mobile Detection files through your reporting account. These
files can be accessed by any of the supported mechanisms for downloading reports,
such as rsync over SSH, SFTP, or HTTPS. You can download the latest Mobile
Detection files from RSA Central. For more information, see the chapter Updating
Mobile Detection Information in the Operations Guide.

Scheduler
Keeping RSA Adaptive Authentication (On-Premise) in operational mode requires
running maintenance, monitoring, and database-related tasks. The Scheduler allows
you to schedule and manage all of these tasks using a single console. You can specify
the tasks to run and the configuration parameters for that run.
The Scheduler generates log files on a daily basis for troubleshooting system
operation.
For information about how to configure scheduled tasks in Adaptive Authentication
(On-Premise), see the topic Scheduler Operation in the Operations Guide.

2: RSA Adaptive Authentication System Overview 15


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Back Office Applications


The Back Office applications are a set of web-based applications that enable operators
in your organization to interact with the Adaptive Authentication system. The Back
Office applications have a dedicated database, which is separate from the Core
Database. The Back Office applications are:
Access Management
Administration Console
Case Management
Customer Service
Policy Management
Report Viewer

Access Management
The Access Management application allows you to create users for personnel within
your organization. It also allows you to manage user roles and permissions for the
different Back Office applications.
If your organization manages its users with an external identity store, such as an
LDAP directory or Active Directory, you can grant access to RSA Adaptive
Authentication (On-Premise) through the external identity framework. For more
information about access for these users, see the chapter Managing Access to the
Back Office Applications in the Back Office Users Guide.

Administration Console
The Administration Console application allows you to manage system configuration
parameters. You use the Administration Console application to modify and maintain
parameter values according to your Adaptive Authentication implementation,
business requirements, and system setup.

Case Management
The Case Management application is used to review events that are flagged as
high-risk by RSA Adaptive Authentication (On-Premise) and require a fraud analysts
review.
Events are flagged for review by Adaptive Authentication (On-Premise) and the Case
Management application pulls these events into its dedicated database. Fraud analysts
review the events and provide resolution. Using web services calls, the flagged events
and the resolutions are updated in the Core Database.

Customer Service
The Customer Service application allows customer service representatives to search
for and modify user account information and help your end users with online account
troubleshooting.

16 2: RSA Adaptive Authentication System Overview


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

In addition, the Customer Service application provides user activity logs that customer
service representatives can monitor.

Policy Management
The Policy Management application allows you to define your organizations policy
by which RSA Adaptive Authentication (On-Premise) detects and acts upon a
high-risk event. For security reasons, RSA recommends that you verify and test the
policy set before implementing policies in Adaptive Authentication (On-Premise). For
more information, see the chapter Managing Policies in the Back Office Users
Guide.

Report Viewer
The RSA Risk Engine produces forensic log files. Based on these log files,
RSA Central provides reports for your organization regarding your forensic activity.
With the Report Viewer application, you can view daily, weekly, and monthly reports
created by RSA Central. Reports from RSA Central are synchronized with the Report
Viewer application for accurate reading of the files.

Case Management API


The Case Management API is the extension of Adaptive Authentication (On-Premise)
Case Management capabilities that allows you to share information with your external
case management system. It provides your organization with the flexibility to more
accurately influence event resolution for suspected or confirmed fraudulent activities.
This added capability enables your organization to extract cases and activities (events)
from the Case Management application as well as provide feedback concerning the
resolutions of these cases and activities. For more information about the relationship
between cases and events within the Case Management application, see the Back
Office Users Guide.
The Case Management API service provides the methods to extract data about events
and cases. The extraction process uses filters for more specific data retrieval results.
This service also includes methods to update the resolution information on events as
well as the case statuses for specific cases, as needed. For more information about
Case Management API, see the Web Services API Reference Guide.

2: RSA Adaptive Authentication System Overview 17


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Network Integration
The following high-level diagram shows the recommended network deployment for
RSA Adaptive Authentication (On-Premise). The diagram reflects the following
business flow:
A user connects to a customer website from the Internet zone.
A customer website located in the demilitarized zone (DMZ) collects information
from the user and passes it to Adaptive Authentication (On-Premise) in the
Application Tier.
Adaptive Authentication (On-Premise) manages the information and returns a risk
score along with a policy-based action.
Adaptive Authentication (On-Premise) uses the Core Database, located in the
Organizational Data Tier, for storage of operational data.

2UJDQL]DWLRQDOILUHZDOO
3XEOLFILUHZDOO 3ULYDWHILUHZDOO RSWLRQDO

2UJDQL]DWLRQDO
'DWD0DQDJHPHQW=RQH $SSOLFDWLRQWLHU GDWDWLHU

56$$GDSWLYH
$XWKHQWLFDWLRQ
+70/DQG-63SDJHV
DQGVFULSWV &RUH
GDWDEDVH

(QGXVHU
:HEVHUYHU $SSOLFDWLRQVHUYHU

18 2: RSA Adaptive Authentication System Overview


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

RSA Adaptive Authentication Utilities


RSA Adaptive Authentication (On-Premise) provides several utilities that system
administrators can use to configure, manage, and operate Adaptive Authentication
(On-Premise). There are operational, testing, diagnostic, and troubleshooting utilities.
The Adaptive Authentication (On-Premise) utilities include:
Operational utilities:
Batch Loader
GeoIP data download
Aggregator Token Generator
Configuration Framework utilities
eFraudNetwork agent (optional)
Encryption utility
Diagnostic and troubleshooting utilities:
Diagnostics Manager
HealthCheckServlet
Log Manager Servlet
The following figure shows the high-level interaction of utilities with Adaptive
Authentication (On-Premise).

2: RSA Adaptive Authentication System Overview 19


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Batch Loader
The Batch Loader utility is a command-line tool for loading historical customer data
into the Core Database for use in risk analysis. You can execute the Batch Loader
utility in one of the following modes:
Risk Engine only. In this mode, the Batch Loader utility only loads data to the
Risk Engine. It does not create users and devices. RSA recommends using this
mode for increased efficiency and performance.
Full. In this mode, the Batch Loader utility loads Risk Engine data, user IDs, and
device information. Full mode should only be used when device recognition and
recovery is key to role authentication.
For more information about the Batch Loader utility, see the Operations Guide.

GeoIP Data Download


RSA provides geographic IP location information with your initial build. Over time,
IP addresses are moved to different locations or ISPs. RSA periodically updates the
existing GeoIP data and adds new entries.
RSA recommends that you update your GeoIP files every two months.
For more information about how to download GeoIP data, see the Operations Guide.

Aggregator Token Generator


RSA works with account aggregators to allow customers to use aggregators to access
your online system. To allow an aggregator to access your online service, you must
define the following items:
A list of IP addresses associated with the aggregator
A specific super token assigned to an aggregator to access RSA Adaptive
Authentication (On-Premise)
The Aggregator Token Generator creates the super token for an aggregator. This super
token is placed in your configuration files.

Configuration Framework Utilities


RSA Adaptive Authentication (On-Premise) provides several utilities for use within a
Configuration Framework. The Configuration Framework utilities enable you to load
configurations from the file system to the Core Database. The ConfigTool utility
manages your configuration files before deployment or during maintenance.

20 2: RSA Adaptive Authentication System Overview


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

RSA eFraudNetwork Agent Utility


RSA Adaptive Authentication (On-Premise) communicates with the RSA
eFraudNetwork service through an eFraudNetwork agent. The eFraudNetwork agent
allows you to update your system with high-risk IP addresses, Device Fingerprint
information, and payee (mule) account information from the eFraudNetwork.
The eFraudNetwork agent receives updated fraudulent information by accessing the
eFraudNetwork service through the HTTPS protocol. The Core Database is then
populated with the updated information.
The information update can be either automatic or manual, according to your
preference.
For more information about the eFraudNetwork agent utility, see the Operations
Guide.

Encryption
The encryption feature is a mechanism that allows you to encrypt and decrypt
sensitive data from RSA Adaptive Authentication (On-Premise). The encryption
process ensures that private, end-user details are protected from potential attacks. You
can enable and disable the encryption feature by modifying the relevant configuration
settings in the Administration Console. In addition, an encryption utility is provided to
manage master key generation and rotation.
For more information about the encryption feature, see the chapter Encrypting User
Data in the Operations Guide.

Diagnostics Manager
The Diagnostics Manager provides you with an automated process of analyzing issues
that may occur during operation of RSA Adaptive Authentication (On-Premise). The
Diagnostics Manager collects data from Adaptive Authentication (On-Premise) for
analysis and ultimate issue resolution by RSA. This information is collected in the
form of a ZIP file that you send to RSA Customer Support for analysis.

Note: The Diagnostics Manager is only for use with the guidance of an RSA
representative.

HealthCheckServlet
The HealthCheckServlet performs an overall system health check and can assess a
database connection status. RSA Adaptive Authentication (On-Premise) usually
initiates the health check but system administrators can use the HealthCheckServlet to
perform a manual check. This tool outputs its results to a log file and an HTML page
that the system administrator can inspect to check for any problems.

Log Manager Servlet


The Log Manager Servlet manages existing log file settings. The servlet allows you to
debug, set varying information levels, and manage your overall log settings.

2: RSA Adaptive Authentication System Overview 21


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

FIPS 140-2 Compliance


RSA Adaptive Authentication (On-Premise) complies with FIPS 140-2 Level 1 using
RSA BSAFE 4.1. This strong encryption standard ensures a high level of security for
database storage of user-sensitive data.
For details about FIPS 140-2 compliance, see the RSA BSAFE Crypto-J 4.1 Security
Policy at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1291.pdf.

22 2: RSA Adaptive Authentication System Overview


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

3 High-Level Deployment Tasks


Whether you are securing an online portal, a web access management (WAM) portal,
or an SSL VPN, you perform the same high-levels tasks for deploying and
maintaining RSA Adaptive Authentication (On-Premise). The following table outlines
these high-level steps.

Task Who Performs Task Reference

1. Plan the Adaptive project manager Best Practices for


Authentication Challenge Questions
(On-Premise) rollout. Product Overview Guide
This might include the
Release Notes
following:
What's New
Determine the time
and resources needed Workflows and Processes
for each task. Guide
Define hardware and
software requirements.
Determine how
Adaptive
Authentication
(On-Premise) works
with the business
needs, for example,
which workflows or
processes to follow.

2. Set up infrastructure. IT operator Operations Guide


Performance Guide

3. Install Adaptive developer, database Installation and Upgrade


Authentication administrator Guide
(On-Premise) in test
mode, and complete basic
configuration of the
product.

3: High-Level Deployment Tasks 23


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Task Who Performs Task Reference

4. Configure Adaptive developer, IT operator, Back Office Users Guide


Authentication database administrator Bait Credentials Setup and
(On-Premise) according Implementation Guide
to specifications
Operations Guide
identified by project
manager. This might
include the following:
Prepare Adaptive
Authentication
(On-Premise)
according to specified
parameters.
Give access rights to
Back Office
administrators.

5. Integrate the secure developer Authentication Plug-In


application with Adaptive Developers Guide
Authentication Integration Guide
(On-Premise) through the
Web Services API
web services API or an
Reference Guide
integration adapter.
Adaptive Authentication
Adapter guides. See
documentation on
RSA SecurOnline at
https://knowledge.rsasec
urity.com/scolcms/sets.as
px?product=aa&_v=doc
ument

6. Educate end users and project manager or training Product Overview Guide
internal functional teams. specialist For a description of each
guide in the
documentation set, see
Chapter 4,
Documentation Set
Overview.

7. Customize the Adaptive Back Office user Back Office Users Guide
Authentication policies to
meet business needs, such
as updating the policies so
that 5% of all customers
must complete additional
authentication.

8. Maintain the stability of IT operator or database Operations Guide


Adaptive Authentication administrator Performance Guide
(On-Premise).

24 3: High-Level Deployment Tasks


RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide

Task Who Performs Task Reference

9. Set up Back Office Back Office user Back Office Users Guide
applications for use on an
ongoing basis. Customize
the Adaptive
Authentication
(On-Premise)
configuration to meet
business needs (updating
policies) and reduce
intrusion attempts
(managing cases).

3: High-Level Deployment Tasks 25