Configure the RSA SecurID Authentication API for Authentication Agents

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Feb 12, 2018
Version 3Show Document
  • View in full screen mode

The RSA SecurID Authentication API is a REST service that allows you to use clients or authentication agents to securely pass user authentication requests to and from RSA Authentication Manager. After you install authentication agents that use the REST protocol, you must configure the RSA SecurID Authentication API.

When you enable the RSA SecurID Authentication API, you generate the Access ID and Access Key. Authentication agents can use the Access ID and Access Key to interact with the RSA SecurID Authentication API. The agents include these credentials in the HTTP header for authentication requests.

The default mode for authentication agents uses the Access Key. To use both the Access ID and the Access Key, you can enable an Hash-based Message Authentication Code (HMAC) mode for the RSA SecurID Authentication API. The HMAC mode allows the agent to encrypt authentication requests with a hash for the request body and an HMAC signature.

Procedure 

  1. On the primary instance, log on to the Security Console, and go to Setup > System Settings.

  2. Under Authentication Settings, click RSA SecurID Authentication API.

  3. Select the Enable Authentication API checkbox.

    The Access ID and Access Key are generated and displayed.

    Authentication agents need the Access Key to use the RSA SecurID Authentication API, unless you are using HMAC mode which requires both values. The same Access ID and Access Key values are used for the RSA SecurID Authentication API on all of the Authentication Manager instances in the deployment.

    Note:  Copy these values to a secure location where you can access them when you configure authentication agents that use the RSA SecurID Authentication API. The Access ID and Access Key are sensitive data, and the Access Key is confidential. Store these values securely, and share them only with other administrators.

  4. (Optional) Click Regenerate Agent Credentials if you need to generate new values for the Access ID and Access Key. You cannot cancel the process. The new credentials are saved as soon as you regenerate them. You do not need to click Save.

  5. (Optional) In the Communication Port field, enter the port number the authentication agents will use to communicate with the RSA SecurID Authentication API. The default is 5555.

  6. Click Apply Settings. The RSA Authentication API is enabled on the primary instance.

  7. To apply the changes to the replica instances, do the following:

    1. On each replica instance, log on to the Security Console, and go to Setup > System Settings.
    2. Click Apply Settings. The RSA SecurID Authentication API changes are applied to the replica instance.
    3. Repeat these steps on each replica instance.

After you finish 

  • If you are using an HMAC for authentication requests, see Generate an HMAC for Authentication Agents.
  • Use the Security Console to add authentication agents that use the REST protocol. For instructions, see Deploying an Authentication Agent That Uses the REST Protocol.
  • Authentication agents that use the REST protocol use a REST server URL for communication between the authentication agent and Authentication Manager. The URL contains a Fully Qualified Host Name (FQHN) which is resolved by the authentication agent to the addresses of the Authentication Manager instances that should be used for authentication. You could choose to create a specific FQHN to represent the active Authentication Manager instances in your deployment, and use DNS to add or remove Authentication Manager instances from being used for authentication.

 

 

 

 


Attachments

    Outcomes