Generate an HMAC for Authentication Agents

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

You can generate a Hash-based Message Authentication Code (HMAC) that you can use to encrypt authentication requests between authentication agents and the RSA SecurID Authentication API. The HMAC provides a hash for the request body and an HMAC signature.

Use this procedure if your authentication agents use both the RSA SecurID Authentication API Access ID and Access Key. Use the default method for authentication agents that only use the Access Key.

Before you begin 

You must access the appliance operating system with a secure shell (SSH) client. You can also access the operating system on a virtual appliance with the VMware vSphere Client, the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.


  1. Log on to the appliance with the user name rsaadmin and the operating system password.

  2. To use an HMAC for authentication, type:

    ./rsautil store –a update_config auth_manager.rest_service.authorization.mode 1 GLOBAL 501

    To return to the default mode that uses only the RSA SecurID Authentication API Access Key, type:

    ./rsautil store –a update_config auth_manager.rest_service.authorization.mode 0 GLOBAL 501

  3. Generate the signature:

    1. Generate the hash for the request body. The hashed body content is generated with SHA-512.
    2. Generate the HMAC signature for the string. The algorithm used for generating the signature is HmacSHA256 and the encoding is Base64.

    The string is calculated as:

    requestBodyHash = SHA-512(requestBody)
    messageToHmac = methodType||"\n"||requestBodyHash||"\n"||requestPath||"\n" +
    hmacKey = createHmacKey( getBytes(accessKey) )
    requestHmacBytes = HmacSHA256( hmacKey, messageToHmac)
    clientKeyHmac = Base64(requestHmacBytes)

    Where the following variables involved are:

    • requestBody. The body of the post after the HTTP header. Blank for GET methods.
    • methodType. The type of the request. Generally the text "POST".
    • requestPath. The path of the request, excluding the transport, the hostname, and port. For example: /mfa/v1_1/authn/initialize.
    • dateString. The date of the request. This must also be included in the HTTP headers as "Date."
    • accessID. The Access ID from the REST configuration interface.
    • accessKey. The Access Key from the REST configuration interface.

    And functions are:

    • SHA-512(). Generates a 512-bit SHA hash result on the input bytes.
    • || - Denotes string concatenation.
    • createHmacKey(). Creates a key from the bytes provided.
    • getBytes(). Provides the byte values for the data provided.
    • HmacSHA256() - Calculates a HmacSHA256 from the key and data provided.
    • Base64() - Creates a Base64 encoded string for the binary data provided.

    The final " clientKeyHmac" is set as the client-key in the ApiClient.

    For example, the sample string prior to generating the signature is:

    <Request Type> + <canonicalized resource> + <hashed request body> + <date> + <access id>

    The string after generating the HMAC is:

    POST+ /mfa/v1_1/authn/initialize + b503cd9a42c8f14c9b64309ab160672cdc39e6c72a523247393a3634a930cd185665925bd5f9f673ab6512d06ed73eb512d045637acf35fee94d0f66c21c9459 + Thu, 01-Dec-16 07:50:53 Eastern Standard Time + hUX4YnN8mzk2fyaj5vUWSF2rVJybMP2zSOuLQDbepwNUiq4RPjExZddzpugcjQ5g

After you finish 

  • Use the Security Console to add authentication agents that use the RSA SecurID Authentication API.