SecureAuth Health Analyzer Value-Added (VAM) Module Deployment Guide
Updated April 10, 2019
This document details the deployment and configuration of the SecureAuth Health Analyzer Value-Added Module (VAM) on a SecureAuth Identity Platform appliance. The addition of the SecureAuth Health Analyzer VAM in your environment will enable you to not only analyze security risks, but also to create a run book of information featuring your appliance set-up and configuration.
The Health Analyzer VAM tests SecureAuth realms to gather the following information and generate a report based on the results. The elements tested include:
Average health and security score of all realms combined.
Number of Identity Manager (IdM) Realms.
Number of SSO Realms.
Number of Network Realms.
Machine Name & Host Name.
Whether the machine is joined to a domain.
Whether the server has an enabled firewall.
IPv4 and Ipv6 address.
This is followed by a list of all realms with a hyperlink to drill down into specifics for each realm. Each link is summarized with the title, authentication mode, purpose, and audit score. This testing applies to the IdM, SSO, and Network Realms.
What's new in version 3.0
Updated to work against both Identity Platform version 9.2 and version 9.3
WS-trust endpoints that are enabled are listed as part of the summary in “Warning Level Information”
All remaining changes were to prevent tampering with the Health Analyzer VAM
Benefits / Use cases
There are two cases for which the Health Analyzer VAM is expressly designed:
Your current SecureAuth Identity Platform installation is not running as you would like, and you want to run a health check to isolate the problem.
You are planning to upgrade your current SecureAuth Identity Platform deployment to the most recent version and want to determine whether SecureAuth Professional Services should become involved in the upgrade effort.
In addition, it:
Conducts a detailed analysis of the IdM, SSO, and network realms.
Enables managers and installers to establish the health and current configuration of the SecureAuth deployment.
Audits the results and provides an HTML report.
Prerequisites
While there are several ways to deploy the Health Analyzer VAM, the procedure detailed on the following pages is the approach recommended by SecureAuth.
The Health Analyzer VAM and this documentation have been built using the systems outlined below:
Version 3.0 of the Health Analyzer VAM should be run directly on the Identity Platform appliance.
All other requirements are met by the out of the box Identity Platform appliance.
Installation guidance
When planning for deployment, keep in mind the following best practices:
Make sure to download the latest deployment package from the SecureAuth website that matches your version of the SecureAuth Identity Platform. The Health Analyzer cannot interpret an Identity Platform version earlier than 2.0. There is a build of the Health Analyzer VAM for 8.x-9.2, and one for 9.3.
Make sure that all realms you are using have been fully configured as any incompletely configured realm will automatically register an error.
The computer bearing the SecureAuth Identity Platform appliance must have a designated D: drive as the Health Analyzer will create a directory for its report on the computer’s D: drive. The SecureAuth Identity Platform creates a D: drive as part of the standard deployment, so this should not be a problem in most cases.
We strongly recommend using threat feeds that take advantage of threat intelligence to prevent misuse of credentials.
The Health Analyzer is designed to identify the adaptive gaps in your Identity Platform configuration. If you are not running adaptive functionality — such as Geo-fencing, Geo-velocity, and Geo-location, etc. — you are not taking advantage of SecureAuth Identity Platform’s full power or protecting your system to its maximum extent.
Requirements
The requirements for deployment of this VAM are:
SecureAuth Identity Platform version 9.0.x or later.
Packaged installation
For the installation, download the correct package based on your organization’s current version of SecureAuth’s Identity Platform.
Unzip the package and run SecureAuth IdP Health & Configuration Analyzer.exe.
Running the Health Analyzer VAM
To run the Health Analyzer, perform the following procedure:
From the desktop, double-click on the SecureAuth IdP Health Analyzer.exe icon. The Health Analyzer will start. A screen appears, as seen in the image below.
Click the Start button.
The Analyzer automatically detects the location of the SecureAuth Identity Platform then inspects the existing SecureAuth Identity Platform realms and associated files. As it proceeds, it presents a status update, as seen in the image below.
All currently configured realms are examined and analyzed in sequence, starting with Realm0 and proceeding through every created realm.
Once the analysis is finished, the Tasks Complete message, as in the following image, appears at the bottom of the run status list.
Once the analysis is completed, the Analyzer deposits its findings into a special Report directory on the D: drive, as seen in the image below.
The report folder is generated and placed on the D: drive.
At least four subfolders appear here. The report itself is found in the subfolder that is dated. If the analyzer is run more than once a day, only the latest report appears in this folder. If a report is run on multiple days, each report appears in its own dated folder.
Click on the dated subfolder you require.
Two or more files appear. One of the files will be named index.html. One or more auxiliary files bearing the name of each realm that has been inspected also appears, as seen in the image below.
Double-click on the Index.html file.
The report appears in your default browser, as in the next image.
If required, drill down into the status of individual realms by clicking on the available realm name links.
Interpreting the report
When you double-click on the report index.html file, a screen appears, as in the following image.
 |
The fields that appear on the Analyzer report include:
Field | Description |
Total Realms | The total number of realms that have been defined for this Identity Platform. |
Avg Score | Average score for the realms on this Identity Platform. For an explanation of what the score entails, refer to Score Calculation below. |
IdM Realms | The total number of realms that have been defined for IdM activities. |
SSO Realms | The total number of realms defined for SSO activities. |
Ntwk Realms | The number of realms defined for network activities. |
Machine Name | The name of the computer on which this Identity Platform appliance resides. |
Domain Joined | Indicates whether this Identity Platform appliance is joined to an Active Directory domain (Yes/No). |
Firewall Enabled | Indicates whether the host’s firewall has been enabled for this Identity Platform appliance (Yes/No). |
Host Name | The name of the host on which this Identity Platform appliance resides. In many cases, the Host Name field and the Machine Name field are identical. |
IP Addresses... | The range of IP addresses assigned to the realms and components of this Identity Platform appliance |
Realm List — a list of the realms defined for this Identity Platform appliance. | |
# | The number assigned to this realm. |
Title | The name assigned to this realm. This is a link to specific realm information. To drill down and view the report for this individual realm, click the link. The individual realm report appears as explained in later under Individual Realm Report. |
Auth | The authentication path this realm follows as defined by the Identity Platform workflow configuration. |
Purpose | The purpose for creating this realm. |
Audit Score | The composite percentage the Health Analyzer VAM has assigned to this realm. To view the elements on which this score is based, click this link. The individual realm report will appear as explained below in the Individual Realm Report section. |
Notifications List — a list of issues the Health Analyzer VAM encountered. | |
Issue | A color-coded notification identifies an issue as critical, warning, recommendation, support, or information and then describes the specific issue. |
Affected Realms | The realm(s) identified as affected by the issue. |
Individual realm report
If you click on the Realm List title or the Audit Score link, a report of the individual realm appears, as in the image below.
 |
The drilled-down individual realm diagnostic report includes the following sections and fields:
Field | Description |
Overview | |
Title | The name assigned to this realm. |
Header | The header assigned to this realm. |
Description | A description of this realm. |
Auth Workflow | The type of workflow mode this realm follows to authenticate. |
Purpose | The purpose for which this realm was created (such as IdM, SSO, Network). |
Directories | |
Auth Directory | The data source this realm uses for authentication (such as Active Directory). |
Auth Connection | The connection string used to connect this source for authentication data. |
Profile Directory | The source this realm uses for storing profile data (such as sAMAccountName). |
Profile Connection | The connection method used to connect this source for profile data (such as the Active Directory domain). |
Field | Description |
Interface | |
Theme | The theme assigned to this realm. |
Logo | The logo assigned to this realm. |
Portal Log | The logo assigned to the portal of this realm. |
Email Logo | The logo used for the email function of this realm. |
Additional Auth | |
Second Factors | The second authentication factor assigned to this realm, such as email, PIN, or phone. |
Group Restriction | Any restrictions by user groups imposed on this realm. |
OTP Length | The length of the OTP assigned to this realm. This tells the PIN OTP page the length of the OTP to generate. |
Purpose | |
SecureAuth Type | The type of SecureAuth function specified by this realm, such as IdM, SSO, or Network. |
Post-Auth Destination | The destination of this realm post-authentication. |
Profile List | List of profile fields for IdM such as Show, Hidden, and Enabled. |
Score calculation
The scores displayed on the report screen are broken down into a series of escalating concerns on a scale of 1 to 5, where 5 is critical.
Score | Meaning |
1 - Non-issue | Non-issue. |
2 - Support Issue | Support Issues, such as The Password Expiration cannot be determined. Please contact SecureAuth support. |
3 - Recommendation | Recommendations, such as Audit Logging, has only TEXT files selected. Please consider utilizing either Syslog or SQL as a logging type. |
4 - Warning | Configuration issues, such as Debug Logging, are currently enabled and may cause issues in a production environment. |
5 - Critical | Critical, such as SSL, is currently not required for this realm. Please enable SSL and ensure it is always used. |
Release notes
Version 3.0 — 04/02/2019
Version 3.0 applies to clients with either Identity Platform 9.2 or 9.3.
Version 2.0 — 10/17/2019
Version 2.0 included updated reporting and functionality
Upgrade information
Before upgrading SecureAuth software, open a Support ticket. The process of upgrading to a newer SecureAuth software version might cause the SecureAuth VAM to become invalid and stop working. When your site is ready to upgrade SecureAuth software, get started by creating a support ticket selecting I have a question or issue regarding SecureAuth Value-Added Modules (VAMs) from the "Submit a request" list. A SecureAuth Tailoring engineer will contact you to evaluate and ensure that the VAM will work with updated SecureAuth software.