Splunk integration with RSA Authentication Manager using REST API
Originally Published: 2022-08-23
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 SP1 or above
Issue
- This protects Splunk with RSA Authentication Manager.
- Setting up the REST API as an authentication agent.
- The REST API is very useful as it doesn't restrict you to a specific code or programming language.
Tasks
Resolution
- Navigate to Setup > System Settings > RSA SecurID Authentication API.
- Check the box to Enable Authentication API.
- Note the values for the Access Key.
- You can change the value for the communication port number to any free port.
- Add an agent entry in the Security Console:
- Select Access > Authentication Agents > Add New.
- Add the agent name. Any name will do, but note that it will be used as the clientId in the requests below.
- Login to the Splunk server.
- Navigate to /opt/splunk/etc/apps/<app_name>/local/authentication.conf:
cd /opt/splunk/etc/apps/<APP_NAME>/local
- The <app_name> shall be the application used by Splunk. (e.g. launcher)
- In case of launcher, it will be as below:
cd /opt/splunk/etc/apps/launcher/local
- Edit the authentication.conf file:
vi authentication.conf
- Fill in the following:
[rsa-mfa] accessKey = <Access_Key_From_Security_Console> authManagerUrl = https://<Primary_RSA_Server_Hostname>:5555/ clientId = <Agent_Name_Created_Above> enableMfaAuthRest = 1 failOpen = 0 replicateCertificates = 1 sslRootCAPath = <Mention__The_Path_to_RSA_Console_certificate> (eg. $SPLUNK_HOME/etc/auth/rsa-2fa/cert.pem) timeout = 15 [authentication] externalTwoFactorAuthVendor = rsa externalTwoFactorAuthSettings = rsa-mfa
- After making the above changes, save the configuration file:
- Press ESC then type :wq! then press Enter.
- Finally, restart the Splunk server
/opt/splunk/bin/splunk restart
Notes
- Navigate to the Security console
- Export the certificate Base-64 encoded X.509 (.CER)
