IBM Security Access Manager 9.0 - Authentication Agent Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jul 30, 2019
Version 1Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with IBM Security Access Manager as an authentication agent.

Architecture Diagram

RSA Authentication Manager

To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security Console of your Authentication Manager and download its configuration file (sdconf.rec).

Agent host record configuration differs slightly depending on whether you are using a UDP-based agent (using 8.1.x or earlier RSA Agent API) or TCP-based agent (using 8.5 or newer RSA Agent API).

If UDP-based agent:

  • Hostname: Configure the agent host record name to match the hostname of the agent.
  • IP Address: Configure the agent host record to match the IP address of the agent.

Note:  Authentication Manager must be able to resolve the IP address from the hostname

 

IBM Security Access Manager

IBM Security Access Manager has separate RSA SecurID Agent configuration for web reverse proxy and advanced access control.

Note:  Use management IP address for creating agent host record for web reverse proxy and use application interface IP address for creating agent host record for advanced access control on the RSA Authentication Manager.

Configure Authentication Agent for Web Reverse Proxy

Perform these steps to configure IBM Security Access Manager  as an authentication agent to RSA Authentication Manager for web reverse proxy.

Procedure

1. Log in to the local management interface of the appliance.

2. Browse to Secure Web Settings > Global Settings > RSA SecurID Configuration.

3. Click Upload to browse and upload the sdconf.rec file. The Status area indicates status as Available if upload is complete. Details section displays the RSA Server name and Agent IP address.

4. Click Test to perform a test authentication. Enter the user name and passcode for a valid RSA SecurID user and then click Submit. Successful authentication will generate node secret file.

SecurID Agent Integration Details
                             
RSA Authentication Agent API8.1.2
RSA SecurID Authentication API (REST)NA
RSA SecurID User SpecificationDefault Method
Display RSA Server InfoYes
Perform Test AuthenticationYes
Agent TracingNo
                               
Agent FilesLocation
sdconf.recLocal Management Interface
sdopts.recNone Specified
Node secretLocal Management interface
sdstatus.12 / jastatus.12None Specified
rsa_api.propertiesNA

 

Configure Authentication Agent for Advanced Access Control

Perform these steps to configure IBM Security Access Manager as an authentication agent to RSA Authentication Manager to enable RSA SecurID authentication using advanced access control.

Procedure

1. Log in to the local management interface of the appliance.

2. Browse to Secure Access Control > Policy > Authentication.

3. On the Authentication page, click Mechanisms tab, choose RSA One-time Password and click Edit symbol.

4. On the Modify Authentication Mechanism window,

  1. Click the Properties tab, select Agent Network Interface property and click Edit symbol.

  1. Select 1.1 option from the Value drop-down list and click Ok.

  1. Click the Agent Files tab, select sdconf.rec option and click Upload to browse and upload the sdconf.rec file and click Save.

5. Deploy changes.

 

SecurID Agent Integration Details
                             
RSA Authentication Agent API8.1.2
RSA SecurID Authentication API (REST)NA
RSA SecurID User SpecificationDesignated Users
Display RSA Server InfoNo
Perform Test AuthenticationNo
Agent TracingYes
                               
Agent FilesLocation
sdconf.recLocal Management Interface
sdopts.recLocal Management Interface
Node secretLocal Management Interface
sdstatus.12 / jastatus.12None
rsa_api.propertiesNA

 

Agent Tracing: Agent tracing can be enabled by setting the properties on the RSA SecurID configuration page mentioned in step 4a above. Refer to Security Access Manager Advanced Access Control Configuration topics guide for complete debug instructions.

Agent trace file : Agent trace file can be accessed using local management interface.

Location: Monitor Analysis and Diagnostics > Logs > Application Log Files > Access Control > rsa.log

 

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the Authentication Agent configuration to your use case.

 

Attachments

    Outcomes