Node Secret for Encryption

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Feb 12, 2018
Version 3Show Document
  • View in full screen mode

The node secret is a shared secret known only to the authentication agent and Authentication Manager. Authentication agents use the node secret to encrypt authentication requests that they send to Authentication Manager.

Authentication Manager automatically creates and sends the node secret to the agent in response to the first successful authentication on the agent.

The agent and the Authentication Manager server must agree on the state of the node secret. For example, if the server expects the agent to have a node secret but the agent does not have one, or if the agent thinks it has a node secret and the server does not think the agent has one.

Manual Delivery of the Node Secret

In most deployments, automatically delivering the node secret is sufficient. However, you can choose to manually deliver the node secret for increased security. When you manually deliver the node secret, you must:

  • Use the Security Console to create the node secret. For instructions, see Manage the Node Secret.
  • Deliver the node secret to the agent, for example, on a disk, and use the Node Secret Load utility to load the node secret on to the agent.

The Node Secret Load utility does the following:

  • Decrypts the node secret file.
  • Renames the file after the authentication service name, usually securid.
  • Stores the renamed file on your machine. For more information on where the renamed node secret file is stored, see your agent documentation.

When you manually deliver the node secret, take the following security precautions:

  • Use the longest possible, alphanumeric password. The maximum length is 16 characters. The minimum length, required special characters, and excluded characters are determined by these default password policy for the deployment.
  • If possible, deliver the node secret on external electronic media to the agent administrator, and verbally deliver the password. Do not write down the password. If you deliver the node secret through e-mail, deliver the password separately.
  • Make sure that all personnel involved in the node secret delivery are trusted personnel.

For additional information about creating and sending the node secret file, see Manage the Node Secret.