Configuring SecurID for use with Centrify zone-based role and privilege execution

For the users that you want to use the SecurID pass code for login, you modify the affected role definitions to require multi-factor authentication. For the commands where you want users to provide a SecurID pass code, you configure the command right for re-authentication using multi-factor authentication.

To configure RSA SecurID for use with Centrify zone-based role definitions and command rights:

  1. In Access Manager, configure your role definitions to use multi-factor authentication:
    1. In Access Manager, locate the role definitions for which you want to require use of the SecurID pass code.

      For example, navigate to your zone, then go to Authorization > Role Definitions, and then select the rights definition in the right pane.

    2. For each role definition, right-click the role definition and select Properties.
    3. Click the Authentication tab.
    4. Select Require multi-factor authentication for login.
    5. Click OK to save the changes.
  2. In Access Manager, configure your command rights to use multi-factor authentication:
    1. In Access Manager, locate the command rights definitions for which you want to require use of the SecurID pass code.

      For example, navigate to your zone, then go to Authorization > UNIX Right Definitions > Commands, and then select the rights definition in the right pane.

    2. For each command right, right-click the command right and select Properties.
    3. Click the Attributes tab.
    4. Select Re-authenticate current user.
    5. Select Require multi-factor authentication.
    6. Click OK to save the changes.
  3. Make sure that you’ve installed the DirectControl agent for *NIX on the UNIX or Linux computer where you want users to use the RSA SecurID pass code.
  4. On the Linux or UNIX computer where you want users to use the SecurID pass code, locate the pam_centrifydc_cloud.so file.
  5. Rename the pam_centrifydc_cloud.so file.
  6. Create a symlink for the pam_centrifydc_cloud.so file to point to the pam_securid.so file instead.

    For the affected users on the affected UNIX or Linux computers, those users will now need to enter their RSA SecurID pass code in order to log in to those computers.