Configure the RSA SecurID Authentication API for Authentication Agents

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

The RSA SecurID Authentication API is a REST service that allows you to use clients or authentication agents to securely pass user authentication requests to and from RSA Authentication Manager. After you build these RESTful clients or authentication agents, you can install them on each machine, such as a domain server, web server, or a personal computer, that you protect with Authentication Manager. To support these agents, you must configure the RSA SecurID Authentication API.

When you enable the RSA SecurID Authentication API, you generate the Access ID and Access Key. After you enable access, a developer can build clients or authentication agents that can use the Access ID and Access Key to interact with the RSA SecurID Authentication API. The agents include these credentials in the HTTP header for authentication requests.

The default mode for authentication agents uses the Access Key. To use both the Access ID and the Access Key, you can enable an Hash-based Message Authentication Code (HMAC) mode for the RSA SecurID Authentication API. The HMAC mode allows the agent to encrypt authentication requests with a hash for the request body and an HMAC signature.


  1. On the primary instance, log on to the Security Console, and go to Setup > System Settings.

  2. Under Authentication Settings, click RSA SecurID Authentication API.

  3. Select the Enable Authentication API checkbox.

    The Access ID and Access Key are generated and displayed.

    Authentication agents need the Access Key to use the RSA SecurID Authentication API, unless you are using HMAC mode which requires both values. The same Access ID and Access Key values are used for the RSA SecurID Authentication API on all of the Authentication Manager instances in the deployment.

    Note:  Copy these values to a secure location where you can access them when you configure authentication agents that use the RSA SecurID Authentication API. The Access ID and Access Key are sensitive data, and the Access Key is confidential. Store these values securely, and share them only with other administrators.

  4. (Optional) Click Regenerate Agent Credentials if you need to generate new values for the Access ID and Access Key. You cannot cancel the process. The new credentials are saved as soon as you regenerate them. You do not need to click Save.

  5. (Optional) In the Communication Port field, enter the port number the authentication agents will use to communicate with the RSA SecurID Authentication API. The default is 5555.

  6. Click Apply Settings. The RSA Authentication API is enabled on the primary instance.

  7. To apply the changes to the replica instances, do the following:

    1. On each replica instance, log on to the Security Console, and go to Setup > System Settings.
    2. Click Apply Settings. The RSA SecurID Authentication API changes are applied to the replica instance.
    3. Repeat these steps on each replica instance.

After you finish