Additional Considerations

SafeNet Authentication Service table management

Due to the large volume of the data accumulated over time in the SourceUserslog table, it is recommended that the table is truncated, or undergo table rotation, to improve SAS performance.

SafeNet Authentication Service logging service

In SAS, data stored in the database is displayed within the user interface. SAS provides the ability to pull data in near real-time (Authentication and Operator Activity) from SAS to an SAS Remote Logging Agent. The agent can then push the data to display in several formats (Event Viewer, syslog, SIEM (ArcSight), or log file).

The logging service in SAS must be configured in a way similar to the SAS Synchronization Agent. For more information, refer SAS Remote Logging Agent.

Once SAS has been configured, it is recommended that DNS record(s) be created that are mapped back to SAS.

MobilePASS

SAS supports Thales's MobilePASS software token, as well as the next-generation MobilePASS+. MobilePASS and MobilePASS+ provide one-step installation, along with highly secure standards-based activation.

This token uses a provisioning method called Dynamic Symmetric Key Provisioning Protocol (DSKPP).

(Image based on principal data flow for DSKPP key generation using a public server key – RFC 6063.)

Key facts – MobilePASS and MobilePASS+ enrollment

• Enrollment occurs via SSL.

• In order to enroll, the server sends the username for the user and the enrollment password encoded in a URL or an activation code via an email.

• The enrollment URL and the enrollment password are per-user passwords stored encrypted in a user’s personalization data attributes.

• It can also be configured with an expiration date/time.

• It never crosses the wire in clear text; it is hashed with other protocol data, including random data sent to the server protected with public key cryptography.

• The resulting hash is only valid for that session and cannot be used by an attacker in another session.

• Once enrolled, the password is deleted from the SAS back end, allowing no other enrollments to re-use it.

Password communication and delivery to the customer can be implemented in a secure fashion using out-of-band channels (for example, SMS, e-mail, etc.) to registered users only.

Due to the requirement for SSL as part of this enrollment process, the server that handles enrollment must have an SSL certificate installed, and it must be trusted by all systems with which you intend to enroll tokens. With this in mind, it is recommended that you use a certificate from a known public Certification Authority (CA) that is trusted by all devices without the need for any device customization. This simplifies the end-user experience and allow enrollment on platforms such as Windows, which, at an OS level, perform validation on the certificate.