Configure RSA Authentication Manager to Handle Authenticate Tokencodes

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

A Super Admin for RSA Authentication Manager performs this task to connect Authentication Manager to the identity routers for tokencode verification. After a user successfully authenticates, the user's record is updated to include the RSA SecurID Authenticate app. The Authenticate app counts against the default limit of three active tokens per user.

If you also want users who are in an identity source for the Cloud Authentication Service but not for Authentication Manager (or in the internal database) to access resources protected by authentication agents, you must add a trusted realm as described in Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.

Before you begin 

  • Authentication Manager Operations Console Administrator credentials are required.
  • Contact an RSA SecurID Access administrator in the deployment that Authentication Manager will trust. The RSA SecurID Access Super Admin must have permission to use the Super Admin account that was created to manage identity router API access. Do the following:
    1. Provide the Authentication Manager IP address and netmask.
    2. Ask the RSA SecurID Access Super Admin to enable access to the identity router API. The RSA SecurID Access Super Admin must enter the Authentication Manager IP address and netmask. The procedure generates the Access ID and the Access Key credentials that Authentication Manager requires.
    3. Ask the RSA SecurID Access Super Admin for the following information:
      • Access ID
      • Access Key
      • The IPv4 addresses for one or more identity router management interfaces.
      • Decide what hostname to use for the identity routers.

        You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.

        For example, you can map multiple identity router IP addresses to the logical hostname Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond.

    4. Ask the RSA SecurID Access Super Admin for the RSA SecurID Access root certificate, and store the certificate in a location that is accessible to the Operations Console on the primary instance.


  1. Add the identity router management IP addresses and hostname to the hosts file on each RSA Authentication Manager appliance in your Authentication Manager deployment.

    Note:  Do not edit the hosts file outside of the Operations Console, or the file may become unreadable.

    1. In the Operations Console, click Administration > Network > Hosts File.
    2. Enter the IPv4 addresses and the hostname of the identity routers. Click Add New, and enter:

      • The IPv4 address for an identity router. For example,
      • The hostname for the identity routers. Every hostname and FQDN has a limit of 255 characters, and this field has a limit of 1024 characters. Example hostname:

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same RSA SecurID Access hostname.

      • Comments, if any.

        Note:  You cannot repeat an IP address or hostname that is in the Read-only Content section of the hosts file.

    3. Click Save.
  2. In the Operations Console on the primary instance, click Deployment Configuration > RSA SecurID Authenticate App.
  3. Select the Authenticate App checkbox to configure the connection to the identity routers that can verify Authenticate Tokencodes.
  4. In the Access URL field, enter the URL that Authentication Manager uses to communicate with the identity routers. The URL consists of an IP address or a hostname, which is defined by an Authentication Manager administrator or an RSA SecurID Access Super Admin, an API port that is provided by an RSA SecurID Access Super Admin, and the prefix /api/v1. For example,
  5. In the Access ID and Access Key fields, enter the information that the Cloud Authentication Service administrator provided for the identity router API.
  6. In the Identity Router Root Certificate field, click Browse and select the certificate that Authentication Manager requires to trust the Cloud Authentication Service deployment. Certificates in DER or PEM format are supported.
  7. Click Test Connection. If the connection test fails, you can edit the fields, select a new certificate, clear the Authenticate App checkbox to make the Identity Router Connection Settings fields unavailable, or click Cancel to exit the page without saving any changes.
  8. Click Save. The connection details are saved, and the root certificate is trusted.

After you finish 

The Super Admin for the Cloud Authentication Service must roll out the RSA SecurID Authenticate app to users so they can register their devices. For instructions, see "RSA SecurID Access Rollout to Users" on RSA Link at

If you experience any issues, see "RSA SecurID Authenticate Tokencode Integration Issues and Solutions" on RSA Link at

    Note:  To see RSA SecurID Authenticate configuration changes on a replica instance before replication occurs, log on to the Operations Console on the replica instance and flush the cache. For instructions, see Flush the Cache.