You must add an RSA SecurID Access deployment to RSA Authentication Manager as a trusted realm in either of the following cases:
- You have RSA Authentication Manager 8.2 SP1 or later and you want users who are in an identity source configured for the Cloud Authentication Service but not in one configured for RSA Authentication Manager (or in the internal database) to use the RSA SecurID Authenticate app to access resources protected by RSA Authentication Agents.
- You want Authentication Manager 8.2 users to use the RSA SecurID Authenticate app to access resources protected by RSA Authentication Agents.
An RSA Authentication Manager deployment can support only one RSA SecurID Access deployment as a trusted realm. However, you can use the Operations Console to add IP addresses for multiple identity routers in this trusted realm. Doing this allows Authentication Manager to use round robin load balancing, high availability, and failover for authentication requests. The trusted realm relationship exists if at least one identity router is available.
To download complete integration instructions, see Integrating the Cloud Authentication Service and RSA Authentication Manager on RSA Link at https://community.rsa.com/docs/DOC-53954.
Before you begin
- The following Authentication Manager credentials are required:
- Operations Console administrator.
- The rsaadmin password.
- Either RSA Authentication Manager Super Admin or Trust Administrator privileges.
- Obtain the required identity router information from the Cloud Authentication Service Super Admin.
You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.
For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond. If you map multiple identity router IP addresses, you must maintain the .hosts file when identity routers are added or removed from the deployment.
- Contact a Super Admin for the Cloud Authentication Service in the deployment that Authentication Manager will trust. The Super Admin must have permission to use the Super Admin account that manages identity router API access. Do the following:
- Provide the Authentication Manager IP address and netmask.
- Ask the Super Admin to enable access to the identity router API. The RSA SecurID Access Super Admin must enter the Authentication Manager IP address and netmask. The procedure generates the Access ID and the Access Key credentials that Authentication Manager requires.
- Ask the Super Admin for the following information:
- Access ID
- Access Key
- The IPv4 addresses for one or more identity router management interfaces.
- Decide what hostname to use for the identity routers.
You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostnamethat only Authentication Manager uses.
For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond.
Add the identity router IP addresses and hostname to the hosts file on each RSA Authentication Manager appliance in your Authentication Manager deployment.
Note: Do not edit the hosts file outside of the Authentication Manager Operations Console, or the file may become unreadable.
- In the Operations Console, click Administration > Network > Hosts File.
Click Add New, and enter:
- Identity router IPv4 address. For example, 192.168.255.255.
Identity router hostnames. Each hostname and FQDN is limited to 255 or fewer characters. Do not exceed 1024 characters in this field. For example, identityrouter.rsa-securid.com.
To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same hostname.
Comments, if any. Double quotation marks, hash characters, and any non-printing characters are not supported, and are removed when the hosts file is saved.
Note: Do not repeat an IP address or hostname that is in the Read-only Content section of the hosts file.
- Click Save.
Note: (Optional) After you log on to the appliance operating system, you can manually save a copy of the hosts file for each appliance. The hosts file is not included in an Authentication Manager backup file.
- To log on to the appliance operating system using Secure Shell (SSH), you must enable SSH:
- In the Operations Console, click Administration > Operating System Access.
- Select each NIC on which you want to enable SSH.
- Click Save.
- Log on to the appliance with the User ID rsaadmin and the operating system password that you defined during Quick Setup:
- On a hardware appliance, log on to the appliance using an SSH client.
- On a virtual appliance, log on to the appliance using an SSH client, the VMware vSphere client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.
- Change directories to /opt/rsa/am/utils. Type:
and press ENTER.
./rsautil manage-securid-access-trusts -a create
and press ENTER. You are prompted for the required options.
Note: You can enter the options directly on the command line. For additional options, see Options for manage-securid-access-trusts.
- When prompted, do the following:
- Enter the Authentication Manager Super Admin or Trust Administrator username, and press ENTER.
- Enter the Authentication Manager Super Admin or Trust Administrator password, and press ENTER.
- Enter the full REST API URL Prefix for the Cloud Authentication Service deployment. The URL is the hostname that you defined or an IP address, the API port that was provided by the Cloud Authentication Service Super Admin, and the prefix /api/v1. For example, https://identityrouter.rsa-securid.com:443/api/v1.
- Enter the Access ID provided by the Cloud Authentication Service Super Admin, and press ENTER.
- Enter the Access Key provided by the Cloud Authentication Service Super Admin, and press ENTER.
- Verify the displayed details of the identity router root certificate. RSA Authentication Manager must obtain the root certificate from the identity router so that Authentication Manager can trust the Cloud Authentication Service deployment.
Note: It is critical that Authentication Manager only sends authentication requests to a legitimate identity router running the SSO Agent. You must carefully examine and verify the certificate.
- When prompted, add the identity router root certificate to the RSA Authentication Manager trust store. Enter y, and press ENTER.
- After obtaining the root certificate, you must enter credentials for the Authentication Manager instance and other information that is required to create the trust.
- Enter a name for the trusted realm. You can use the hostname for the identity routers, for example, identityrouter.rsa-securid.com. Press ENTER.
- (Optional) Enter any notes and press ENTER.
- When prompted to enable a trusted realm, enter y, and press ENTER. Users can authenticate to an enabled Cloud Authentication Service trusted realm.
- When prompted to enable the trusted realm for authentication, enter y, and press ENTER. This trusted realm option does not apply to a Cloud Authentication Service trusted realm.
RSA Authentication Manager tests the connection to the trusted realm. After 30 seconds, a message indicates whether the connection test succeeded or failed.
If the test fails, you can view the details in the imsTrace.log file in the /opt/rsa/am/server/logs directory.
Note: Replica instances require an additional time to accept the root certificate that RSA Authentication Manager obtained from the identity router. Wait at least ten minutes before testing the trusted realm or authenticating with Authenticate Tokencodes on any replica instance.
After you finish
- For each authentication agent that is being used with the RSA SecurID Access trusted realm, select the Enable Trusted Realm Authentication field when you add the authentication agent. For instructions, see Add an Authentication Agent.
- (Optional) In the Security Console, you can view or delete the RSA SecurID Access trusted realm:
- Click Administration > Trusted Realms > Manage Existing.
- Select the trusted realm to display the context menu.
- Select one of the following items:
- Click View to view the details of the trusted realm.
- Click Delete to delete the trusted realm, and click OK.