Skip navigation
All Places > Products > RSA SecurID Access > Blog > 2017 > July

Recently I had a customer use case that required integrating SecurID Access authentication into one of their web applications. With the release of Authentication Manager (AM) 8.2 SP1, and continuing with AM 8.3, there is a new built-in RESTful web API for authentication. A REST-compliant API allows for much easier integration of SecurID authentication into web-based applications and sign-on workflows. In a few hours of testing, I was able to get an RSA-provided test application up and running using this API in my Authentication Manager 8.2 SP1 lab. One cool thing about this new REST API is that it allows you to use the same API for AM with traditional SecurID authenticators but also the new SecurID Access Cloud Authentication Service and new authenticators such as push-to-approve, biometrics and the Authenticate app token codes.


This guide is written for a non-programmer to get the RSA test application up and running against a local AM 8.2 SP1 test/lab instance. The guide is also based on a Windows client PC or VM but a knowledgeable Linux admin could easily get it running on a Linux client.



  • Local AM 8.2 SP1 Primary instance, ideally patched to the latest version, P2 as of this post, with Super Admin access
  • Windows host or VM with network connectivity to AM 8.2 SP1 Primary
  • file from rsa-am-extras- ZIP file package under the \RSA SecurID Authentication API folder. This Extras package is available for existing SecurID Customers and Partners at the Version Upgrade Downloads on Link. (login required)
  • The README text file inside the API example test app zip file is very helpful and notes two other requirements in order to build and run the test applications:


  • RSA SecurID Authentication API Developer's Guide PDF
    • The OpenAPI references in the Preface section of this PDF are helpful to developers
  • rest-java-client/target/generated-sources/swagger/index.html Documentation generated during install/compile
  • openapi-yaml/rsa-securid-authentication-api.yaml This OpenAPI interface definition source (YAML) file which contains details on the endpoints and JSON objects

Setting Up Java JDK and Apache Maven Steps

  1. Java JDK - If it’s not already installed, download the appropriate version of the Java JDK for your client platform and install it using the defaults. Once it’s installed, on a Windows PC, you can launch the command prompt and type java -? and you should get output to make sure the JDK is installed and the PATH is set correctly.
  2. Maven - Follow the Apache install instructions which is basically to unzip it to a directory of your choice and create a PATH environment variable to the /bin directory inside the Maven package. I unzipped it to: C:\Program Files\apache-maven-3.5.0 .
    1. Maven requires the JAVA_HOME variable to bet set for the JDK executable and it does not seem to be properly set by the JDK installer on my Windows VM when you also have the Java Runtime Environment (JRE) installed. If you don't get an actual path when you type in echo %JAVA_HOME% on the command prompt, the Atlassian website has a good guide on this.
    2. If everything is installed correctly, on a command line mvn -v should give you similar output to this:
      Command line maven installation verification
      Notice it is jdk and not jre when the JAVA_HOME environment variable is set correctly. If it points to the JRE you will get a Maven compile error in the next step.
  3. Extract the entire file preserving directories into a directory of your choice. In this example, it is c:\SID-REST. From now you can follow the instructions from the README text file contained inside that zip. When you run mvn clean install from the unzipped directory, it will download a bunch of Maven cloud repo Java libraries and then compile the test app based on the pom.xml file. You will see some warnings which is OK but eventually you should something like this BUILD SUCCESS message:
    Command line maven build success completed
  4. Finally, we are now ready to configure AM 8.2 SP1 to start testing. However, first it’s never a bad idea to ping the Primary test instance to make sure your Windows VM can talk to it:
    Command line AM instance successful ping from Windows VM
  5. We know AM is up so we can configure the instance to accept REST API connections. Log into the AM 8.2 SP1 Primary instance Security Console as Super Admin. On the main dashboard at the bottom left under Quick Links, go into System Settings. With 8.2 SP1 we now have a link for RSA SecurID Authentication API on the top left quadrant. Click into it:
    AM Security Console System Settings quick link Authentication API
    Enable the API checkbox and keep the default port unless you need to change it, click Apply Settings:
    SecurID Authentication API enablement and apply
    Note the Access ID and Access Key - it may be handy to cut paste those into a text editor.
  6. Now if you haven't already, either create a test user in the internal database or find a user in a lab identity source (AD or LDAPv3) and assign them a token. TIP: If your AM lab is like mine it probably only has soft tokens. You'll need to use the Windows Desktop token on the client VM or configure iOS or Android with the CTF soft token profile. Note: CTF is considered an insecure soft token provisioning method by RSA and is not recommended for production environments. For a test lab this is fine. You can then go in as admin, assign a soft token and distribute it with that CTF profile. Cut and paste the CTF activation code and email it to an account on your smart phone. After you install the RSA SecurID soft token app from the app store, that email code will allow you to import the token. The specific instructions for this set of steps are beyond the scope of this guide but it's straightforward. Make sure you go into the Self Service Console (SSC) as that user and set the PIN (if not set with SSC) and test the token to make sure authentication is working and you have a good token:
    AM Self Service Console successful token test authentication
  7. Now we can get back to the README file and start testing the Java test REST-API app. I find the test authentication client (rest-test-auth) is a lot easier than the single-step CLI client (rest-test-CLI.) The readme instructions are fairly general so let’s take it step-by-step. Go into the \rest-rest-auth\target subdirectory and run the java executable:
    cd rest-test-auth\target
    java -jar rest-test-auth-jar-with-dependencies.jar
  8. You should get output like this assuming your JRE is installed correctly:
    Command line rest-test-auth Java program main menu

    Notice the file is not found because this is the first time to run this test Java client that creates it. There’s also an SSL warning since we haven’t yet downloaded the root certificate from our lab AM primary instance. First step is to select 1) and configure the client API. We will configure these in order:
    1. Base server URL - After compile and install this app defaults to localhost. It’s easiest to just cut and paste this existing default URL and edit it to the correct FQDN of your lab primary instance with the correct configured port and type enter:Command line AM default URL change to correct address
    2. Agent Name - The app defaults to the local FQDN so just cut & paste that and make sure you go over to your Primary, login as Super Admin and add a standard agent record for your Windows client VM. In my lab, this box happens to also be the AD server:Command line keep default agent nameAM Security add REST-API client computer as new host
    3. For the next 5 options just keep the default values:
      Command line keep next 5 options default
    4. Root Certificate File - Now we come to the AM instance certificate file option so that verified HTTPS can be established between this client app and REST-API service running on the AM instance. If you don't do this, the test app will just throw a warning but it will still work. Nevertheless, it's not hard to fix. I found the easiest thing is to use the Firefox browser to log into the primary Security Console. Click the padlock icon on the URL bar top left, click the arrows and More Information button until you get to the View Certificate button and click into it. (Note not all steps are shown below as screenshots for the sake of brevity:)
      AM Security Console Firefox view certificate
      AM Security Console Firefox certificate save as p7c
      Click the Details tab and then you click the Export button and export to an X.509 Certificate (PKCS#7) format taking note of the filename. Copy the p7c file to the same directory as your rest-test-auth-jar-with-dependencies.jar file. You can then update the root certificate filename at the command line:Command line certificate name update
    5. API Key Type - keep the default value of KEY. The RSA SecurID Authentication API Developer's Guide (linked above) goes into details on these two options.
    6. Access ID & Access Key - These two will be from your temporary text file copied from the AM Security Console. Make sure you cut & paste carefully without truncating or padding spaces. (The screenshot below shows the values being updated because I changed the regenerated the API keys on the AM Security Console between screenshots.)Command line API Access ID and Key update
    7. Policy ID (for RSA SecurID Access) - This next option does not apply since we are using the SecurID REST-API on Authentication Manager so just leave the default as shown in bottom of the screenshot above.
  9. Once everything is configured correctly, this program will write a local file. You will be returned to the main menu and we can see SSL verification is enabled:Command line SSL verification enabled and properties file loaded
    We are finally ready to try out authentication with our test user token! The 4) option is the choice for a regular hard or soft token. My lab has user ID auser with a soft token on iOS. It's also helpful to go to your AM Security Console and run the Authentication Monitor. Switch back to the command line and run option 4 and test your confirmed working user and token. The screenshots below show iOS soft token PIN entry, passcode display and 2FA credential entry into the test app:
    iOS auser soft token PIN entryiOS auser soft token tokencode display

Command line single-step authentication username and passcode entryCommand line single-step successful SecurID authentication

AM Security Console Authentication Monitor successful


It's cool to get this working after all those steps, I think you can agree. The option 3) in the app is a multi-step authentication mostly applicable to the SecurID Access Cloud Authentication service but it also works for an On-Demand enabled user where you must enter a PIN and then the tokencode is delivered via SMS or email, then entered by the user as a multi-step authentication. Now you or your development teams can start testing the REST-API and building in SecurID Access authentication into any application that supports a RESTful API integration.


Important Considerations

The biggest caveat is that traditional SecurID native API clients written to our Java or C APIs will by default support the built-in load balancing and high availability in the SecurID (SDI) protocol. That will include automatically discovering all Replica instances during the first authentication and failing over to the next available instance. This new RESTful API explicitly requires the API client to connect to a Primary or Replica instance. Failover functionality must be handled by the client. In this respect it is very similar to the RADIUS server functionality built into each AM instance with explicit primary and failover RADIUS servers defined at every client agent.


If you want to check out the Java code in this sample app, there are /src directories in the test app package with the Java source that can be examined in a text editor.

With today’s ever growing threat landscape, the volume, sophistication, and potential damages of attacks is increasing. It is becoming increasingly harder to stop attackers from entering your system networks, isolating their motives, and most importantly removing them once they are there.  A typical security environment uses multiple disconnected technologies, supplying an immense amount of information.  Prioritizing a specific piece of data is important to responding quickly to attacks.  At a higher level, however, there is a need to understand if the security strategy is really effective for the business.  In summation, businesses need to change their security strategies.


The solution?  RSA provides a top down approach strategically linking business risk management with security events and priorities

  • Make security teams operationally more impactful
  • Strategically manage business risk

By bringing different practices together, linking security incidents with business context allows security teams to respond faster to protect what matters most.

The RSA suite of tools

  • Keeps the bad actors out, but allows entry to those that have legitimate need to easily access the system
  • Enables visibility and analytics to view the big picture to provide insights into specific attacks
  • Provides business context linked to contextual intelligence for a more informed approach
  • which can then be translated into action

The video in this eLearning discusses how RSA’s tools provide both the detailed information linked to the business context to protect the most sensitive assets.

We know you really want to join the more than 2,000 security, risk and compliance professionals at the premier Business-Driven Security event, RSA Charge 2017, Oct. 17-19 in Dallas. Now you have one final, limited opportunity to enjoy a $300 savings with our ‘throwback’ to the Early Bird Discount Rate of $645.


This is your opportunity to network with RSA customers, partners, and industry experts while discovering how to implement a Business-Driven Security  strategy in an increasingly uncertain high-risk world.


Use the Throwback Thursday code 87CTHRWBCKJUL and save $300 on your attendee pass.


Need a little more convincing, in addition to the $300 savings? Well, we have this covered too!


Check out our latest Keynote Lineup, including

  • Marc Goodman, Global Security Advisor, and Futurist will explain how to cultivate informed workforce to create a human firewall, in what promises to be a highly engaging and humorous keynote presentation


Sneak Peek at our Upcoming Agenda of robust programming you can expect at RSA Charge 2017. Tracks include:

  • Taking Command of Your Risk Management Journey
  • Transforming Compliance
  • Managing Technology Risk in Your Business
  • Inspiring Everyone to Own Risk
  • Detecting and Responding to Threats That Matter
  • Secrets of the SOC
  • Identity and Access Assurance
  • Reducing Fraud, While Not Reducing Customers
  • RSA Archer Technical
  • RSA Archer Technical, Advanced


Don’t miss out on your chance to attend RSA Charge 2017 with the limited ‘Throwback Thursday’ event. Use code 87CTHRWBCKJUL to register.


Discount code expires Thursday, July 27, 2017, at 11:59 PM PST. Offer cannot be combined with any other promotional code.


There are times when trying to put together an effective authentication strategy feels like competing in track-and-field events. Business and IT are supposed to be on the same team, but far too often seem to be racing toward completely different goals. Sure, it’s important to get to the finish line fast, but not at the risk of leaving the rest of the team behind. Read full article on Speaking of Security blog.

RSA Charge 2017’s ‘Call for Speakers’ resulted in an unprecedented number of abstract submissions across all RSA product solutions – RSA Archer Suite, RSA NetWitness Suite, RSA SecurID Suite (including RSA Identity Governance & Lifecycle), and RSA Fraud & Risk Intelligence. The submissions from RSA customers and partners included the sharing of first-hand knowledge, advice, ideas, experiences, case studies, and even war stories that submitters wanted to share with their RSA product peers at the Charge event in October.


Though the RSA Charge Program Selection Committee is thrilled by the high caliber of submissions, the Committee now faces the hard task of whittling down the list of submissions to 100 across all RSA products. Though no final decisions have yet been made, the Committee noticed that there were many submissions that had similar titles and themes, so they decided to allow you the opportunity ‘voice your choice’ from a small, random subset from the abstracts received.


And, for the first time, with a registered RSA Link account, you can vote on Tracks across the entire RSA product portfolio. That’s right, you can vote on any of the product Tracks listed, but you can only vote once ‘per abstract.’


So let your voice be heard - this is your chance to 'vote your choice' and have a say in this year's RSA Charge 2017 Agenda. To vote, simply click on the Proposal Abstracts and cast your vote across all RSA Product Tracks.


Thank you for the amazing ‘Call for Speakers’ submissions for RSA Charge 2017 – it’s going to be an event you will not want to miss. If you haven’t registered for RSA Charge 2017, be sure to do so today!  




Filter Blog

By date: By tag: