This section describes how to integrate RSA SecurID Access with F5 BIG-IP APM as an authentication agent.
Configure RSA Authentication Manager
To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security Console of your Authentication Manager and download its configuration file (sdconf.rec).
Agent host record configuration differs slightly depending on whether you are using a UDP-based agent (using 8.1.x or earlier RSA Agent API) or TCP-based agent (using 8.5 or newer RSA Agent API).
If UDP-based agent:
- Hostname: Configure the agent host record name to match the hostname of the agent.
- IP Address: Configure the agent host record to match the IP address of the agent.
Note: Authentication Manager must be able to resolve the IP address from the hostname
If TCP-based agent:
- Hostname: Configure the agent host record name to match the agent name as specified in the agent's configuration. It does not have to match the hostname of the authentication agent.
- IP Address: Leave blank. Any input to this field will be disregarded.
Configure F5 BIG-IP APM
Perform these steps to configure F5 BIG-IP APM as an authentication agent to RSA Authentication Manager.
1. Sign into the BIG-IP Configuration Utility and click Main > Access > Authentication > SecurID.
2. On the SecurID Servers page, click Create...
- Name: Enter a suitable name for the SecurID Server.
- Agent Host IP Address: Click the Select from Self IP List radio button and select the IP address which was entered in Authentication Manager during creation of agent host record from the drop-down list.
- SecurID Configuration File: Click the Choose File button and browse to the location where the configuration file (sdconf.rec) is located.
4. Click Finished.
Next Step: Proceed to Access Profile use case configuration section to apply this integration type to an access profile.
SecurID Agent Integration Details
|RSA Authentication Agent API||RSA ACE/Agent Version 8.1  04_12_10_06_52_08|
|RSA SecurID Authentication API (REST)||Not Applicable|
|RSA SecurID User Specification||All Users|
|Display RSA Server Info||No|
|Perform Test Authentication||Yes|
Node Secret: (C and Java Agents only)
The Node Secret file is stored in file system (path in table above) and is named securid. If required, the node secret can be cleared at the agent side by deleting this file using the rm command from the F5 appliance shell.
sdconf.rec: (C and Java Agents only)
This file is also stored in file system (path in table above). This contains information regarding the Authentication Manager servers. This file can be managed via the F5 Configuration Utility and the appliance shell.
Add: This file is added when agent record is created in F5 (documented in configuration steps above).
Modify: To use a new sdconf.rec file when the agent record is already added do the following steps:
- Click Main > Access > Authentication > SecurID after login to F5 Configuration Utility.
- Click the agent name for which sdconf.rec needs to be modified.
- On the Properties page, under SecurID Configuration File Properties, click the Upload New File radio button.
- Click Choose File and browse to the location of the new sdconf.rec file.
- Click Update.
Delete: This file can be deleted from the F5 appliance shell using the rm command.
sdopts.rec: (C and Java Agents only)
This file is present in file system (path in table above). If required, the contents of this file can be modified or the file can be deleted using the F5 appliance shell. This file can be used for manual load balancing. For more details, see RSA Authentication Agent API Guide. Each time sdopts.rec is changed, the agent needs to be restarted for the changes to take effect.