Manage the Node Secret
The node secret is a shared secret is known only to the authentication agent and RSA Authentication Manager. Authentication agents and AM use the node secret as a symmetric encryption key to encrypt and decrypt packets of data as they travel across the network. For example, authentication agents use the node secret to encrypt authentication requests that they send to AM. For an authentication agent that uses the UDP, the authentication agent and the AM server must agree on the state of the node secret.
For agents that are based upon the UDP, the node secret is stored in both the Authentication Manager database and in a file on the Web Agent host. For agents that are based upon the TCP or Internet Protocol (IP), a node secret file is optional, and the location is specified in the rsa_api.properties file. Instead of a node secret, a dynamically negotiated key is used to encrypt the channel along with a strong encryption algorithm.
AM automatically creates and sends the unique node secret to the agent in response to the first successful authentication on the agent.
In most deployments, automatically delivering the node secret is sufficient. However, you can choose to manually deliver the node secret for increased security. When you manually deliver the node secret to the agent, you must use the Node Secret Load utility to load the node secret on to the agent.
The Node Secret Load utility does the following:
- Decrypts the node secret file.
- Renames the file after the authentication service name, usually securid.
- Stores the renamed file on your machine. For more information on where the renamed node secret file is stored, see your authentication agent documentation.
Procedure
In the Security Console, click Access > Authentication Agents > Manage Existing.
Click the Restricted or Unrestricted tab, depending on whether the authentication agent that you want to search for is restricted or unrestricted.
Use the search fields to find the authentication agent with the node secret that you want to manage.
Click the agent, and click Manage Node Secret.
If you want to clear the node secret from the AM server, do the following:
- Select the Clear Node Secret checkbox.
- To allow the authentication agent to authenticate to the server, you must also clear the node secret on the authentication agent. For more information, see your authentication agent documentation.
(Optional) If you want to create a new node secret, instead of generating one automatically, select the Create Node Secret checkbox.
Enter and confirm a password to encrypt the node secret file. The maximum length is 16 characters. The minimum length, required characters, and excluded characters are determined by the default password policy for the deployment.
Click Save.
Click Download Now.
After you finish
When you manually deliver the node secret, take the following security precautions:
- Make sure that all personnel involved in the node secret delivery are trusted personnel.
- Deliver the node secret on external electronic media to the agent administrator, and verbally deliver the password. Do not write down the password. If you deliver the node secret through e-mail, deliver the password separately.
Related Articles
Refresh the Node Secret Number of Views Manually creating the node secret for RSA Authenticaiton Manager fails on Microsoft Forefront Threat Management Gateway Number of Views Authentication Manager Node secret mismatch on TMG or UAG Number of Views How to recreate the node secret for RADIUS Server in RSA Authentication Manager 8.x Number of Views User initially shows passcode accepted and node secret sent, but second authentication fails with node secret mismatch: cl… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
