This section describes how to integrate RSA SecurID Access with IBM Security Access Manager as an authentication agent.
Architecture Diagram
RSA Authentication Manager
To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security Console of your Authentication Manager and download its configuration file (sdconf.rec).
Agent host record configuration differs slightly depending on whether you are using a UDP-based agent (using 8.1.x or earlier RSA Agent API) or TCP-based agent (using 8.5 or newer RSA Agent API).
If UDP-based agent:
- Hostname: Configure the agent host record name to match the hostname of the agent.
- IP Address: Configure the agent host record to match the IP address of the agent.
Note: Authentication Manager must be able to resolve the IP address from the hostname
IBM Security Access Manager
IBM Security Access Manager has separate RSA SecurID Agent configuration for web reverse proxy and advanced access control.
Note: Use management IP address for creating agent host record for web reverse proxy and use application interface IP address for creating agent host record for advanced access control on the RSA Authentication Manager.
Configure Authentication Agent for Web Reverse Proxy
Perform these steps to configure IBM Security Access Manager as an authentication agent to RSA Authentication Manager for web reverse proxy.
Procedure
1. Log in to the local management interface of the appliance.
2. Browse to Secure Web Settings > Global Settings > RSA SecurID Configuration.
3. Click Upload to browse and upload the sdconf.rec file. The Status area indicates status as Available if upload is complete. Details section displays the RSA Server name and Agent IP address.
4. Click Test to perform a test authentication. Enter the user name and passcode for a valid RSA SecurID user and then click Submit. Successful authentication will generate node secret file.
SecurID Agent Integration Details
| RSA Authentication Agent API | 8.1.2 |
| RSA SecurID Authentication API (REST) | NA |
| RSA SecurID User Specification | Default Method |
| Display RSA Server Info | Yes |
| Perform Test Authentication | Yes |
| Agent Tracing | No |
| Agent Files | Location |
|---|---|
| sdconf.rec | Local Management Interface |
| sdopts.rec | None Specified |
| Node secret | Local Management interface |
| sdstatus.12 / jastatus.12 | None Specified |
| rsa_api.properties | NA |
Configure Authentication Agent for Advanced Access Control
Perform these steps to configure IBM Security Access Manager as an authentication agent to RSA Authentication Manager to enable RSA SecurID authentication using advanced access control.
Procedure
1. Log in to the local management interface of the appliance.
2. Browse to Secure Access Control > Policy > Authentication.
3. On the Authentication page, click Mechanisms tab, choose RSA One-time Password and click Edit symbol.
4. On the Modify Authentication Mechanism window,
- Click the Properties tab, select Agent Network Interface property and click Edit symbol.
- Select 1.1 option from the Value drop-down list and click Ok.
- Click the Agent Files tab, select sdconf.rec option and click Upload to browse and upload the sdconf.rec file and click Save.
5. Deploy changes.
SecurID Agent Integration Details
| RSA Authentication Agent API | 8.1.2 |
| RSA SecurID Authentication API (REST) | NA |
| RSA SecurID User Specification | Designated Users |
| Display RSA Server Info | No |
| Perform Test Authentication | No |
| Agent Tracing | Yes |
| Agent Files | Location |
|---|---|
| sdconf.rec | Local Management Interface |
| sdopts.rec | Local Management Interface |
| Node secret | Local Management Interface |
| sdstatus.12 / jastatus.12 | None |
| rsa_api.properties | NA |
Agent Tracing: Agent tracing can be enabled by setting the properties on the RSA SecurID configuration page mentioned in step 4a above. Refer to Security Access Manager Advanced Access Control Configuration topics guide for complete debug instructions.
Agent trace file : Agent trace file can be accessed using local management interface.
Location: Monitor Analysis and Diagnostics > Logs > Application Log Files > Access Control > rsa.log
Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the Authentication Agent configuration to your use case.
