F5 BIG-IP APM 14.1 - Authentication Agent Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jun 25, 2019Last modified by RSA Information Design and Development on Jun 25, 2019
Version 2Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with F5 BIG-IP APM as an authentication agent.

Architecture Diagram

Configure RSA Authentication Manager

To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security Console of your Authentication Manager and download its configuration file (sdconf.rec).

Agent host record configuration differs slightly depending on whether you are using a UDP-based agent (using 8.1.x or earlier RSA Agent API) or TCP-based agent (using 8.5 or newer RSA Agent API).

If UDP-based agent:

  • Hostname: Configure the agent host record name to match the hostname of the agent.
  • IP Address: Configure the agent host record to match the IP address of the agent.

Note:  Authentication Manager must be able to resolve the IP address from the hostname

If TCP-based agent:

  • Hostname: Configure the agent host record name to match the agent name as specified in the agent's configuration. It does not have to match the hostname of the authentication agent.
  • IP Address: Leave blank. Any input to this field will be disregarded.

 

Configure F5 BIG-IP APM

Perform these steps to configure F5 BIG-IP APM as an authentication agent to RSA Authentication Manager.

Procedure

1. Sign into the BIG-IP Configuration Utility and click Main > Access > Authentication > SecurID.

2. On the SecurID Servers page, click Create...

3. On the New Server... page, enter the following:

  1. Name: Enter a suitable name for the SecurID Server.
  2. Agent Host IP Address: Click the Select from Self IP List radio button and select the IP address which was entered in Authentication Manager during creation of agent host record from the drop-down list.
  3. SecurID Configuration File: Click the Choose File button and browse to the location where the configuration file (sdconf.rec) is located.

4. Click Finished.

 

Next Step: Proceed to Access Profile use case configuration section to apply this integration type to an access profile.

 

SecurID Agent Integration Details

                             
RSA Authentication Agent APIRSA ACE/Agent Version 8.1 [236] 04_12_10_06_52_08
RSA SecurID Authentication API (REST)Not Applicable
RSA SecurID User SpecificationAll Users
Display RSA Server InfoNo
Perform Test AuthenticationYes
Agent TracingNo
                               
Agent FilesLocation
sdconf.rec/config/aaa/ace/Common/<server-name>/sdconf.rec
sdopts.rec/config/aaa/ace/Common/<server-name>/sdopts.rec
Node secret/config/aaa/ace/Common/<server-name>/securid
sdstatus.12/config/aaa/ace/Common/<server-name>/sdstatus.12
rsa_api.propertiesNone stored

 

Node Secret: (C and Java Agents only)

The Node Secret file is stored in file system (path in table above) and is named securid. If required, the node secret can be cleared at the agent side by deleting this file using the rm command from the F5 appliance shell.

sdconf.rec: (C and Java Agents only)

This file is also stored in file system (path in table above). This contains information regarding the Authentication Manager servers. This file can be managed via the F5 Configuration Utility and the appliance shell.

Add: This file is added when agent record is created in F5 (documented in configuration steps above).

Modify: To use a new sdconf.rec file when the agent record is already added do the following steps:

  1. Click Main > Access > Authentication > SecurID after login to F5 Configuration Utility.
  2. Click the agent name for which sdconf.rec needs to be modified.
  3. On the Properties page, under SecurID Configuration File Properties, click the Upload New File radio button.
  4. Click Choose File and browse to the location of the new sdconf.rec file.
  5. Click Update.

Delete: This file can be deleted from the F5 appliance shell using the rm command.

sdopts.rec: (C and Java Agents only)

This file is present in file system (path in table above). If required, the contents of this file can be modified or the file can be deleted using the F5 appliance shell. This file can be used for manual load balancing. For more details, see RSA Authentication Agent API Guide. Each time sdopts.rec is changed, the agent needs to be restarted for the changes to take effect.

 

Attachments

    Outcomes