Configure the RSA SecurID Authentication API for Authentication Agents

Applicable to: Authentication Manager 8.8 and later versions.

The Authentication Manager REST service enables authentication agents to securely send user authentication requests to the Authentication Manager. After you install authentication agents that use the REST protocol, you must configure the RSA SecurID Authentication API. To manage agent credentials, including editing or deleting existing ones, refer to the section Manage Agent Credentials.

Procedure 

1. On the primary instance, log on to the Security Console, and go to Setup> System Settings.

2. Under Authentication Settings, click RSA SecurID Authentication API.

3. By default, the Enable Authentication API checkbox is selected in a fresh installation.

4. (Optional) In the Communication Port field, enter the port number that authentication agents will use to communicate with the RSA SecurID Authentication API. The default is 5555.

5. Click Apply Settings. The RSA Authentication API is enabled on the primary instance. If no agent credential is present, one is generated automatically.

6. To apply the changes to the replica instances, do the following:

1. On each replica instance, log on to the Security Console, and go to Setup > System Settings.
2. Under Authentication Settings, click RSA SecurID Authentication API.
3. Click Apply Settings. The RSA SecurID Authentication API changes are applied to the replica instance.
4. Repeat these steps on each replica instance.

After you finish 

• If you are using an HMAC for authentication requests, see Generate an HMAC for Authentication Agents.
• Use the Security Console to add authentication agents that use the REST protocol. For more information, see Deploying an Authentication Agent That Uses the REST Protocol.
• Authentication agents that use the REST protocol use a REST server URL for communication between the authentication agent and AM. The URL contains a Fully Qualified Host Name (FQHN) which is resolved by the authentication agent to the addresses of the AM instances that should be used for authentication. You could choose to create a specific FQHN to represent the active AM instances in your deployment, and use DNS to add or remove AM instances from being used for authentication.

Configure the RSA SecurID Authentication API for Authentication Agents

Applicable to: Authentication Manager 8.7 SP2 and earlier versions.

The RSA SecurID Authentication API is a REST service that allows you to use clients or authentication agents to securely pass user authentication requests to and from RSA Authentication Manager. After you install authentication agents that use the REST protocol, you must configure the RSA SecurID Authentication API.

When you enable the RSA SecurID Authentication API, you generate the Access ID and Access Key. Authentication agents can use the Access ID and Access Key to interact with the RSA SecurID Authentication API. The agents include these credentials in the HTTP header for authentication requests.

The default mode for authentication agents uses the Access Key. To use both the Access ID and the Access Key, you can enable an Hash-based Message Authentication Code (HMAC) mode for the RSA SecurID Authentication API. The HMAC mode allows the agent to encrypt authentication requests with a hash for the request body and an HMAC signature.

Procedure 

1. On the primary instance, log on to the Security Console, and go to Setup> System Settings.

2. Under Authentication Settings, click RSA SecurID Authentication API.

3. Select the Enable Authentication API checkbox.

4. The Access ID and Access Key are generated and displayed.

   Authentication agents need the Access Key to use the RSA SecurID Authentication API, unless you are using HMAC mode which requires both values. The same Access ID and Access Key values are used for the RSA SecurID Authentication API on all of the AM instances in the deployment.

   Note:  Copy these values to a secure location where you can access them when you configure authentication agents that use the RSA SecurID Authentication API. The Access ID and Access Key are sensitive data, and the Access Key is confidential. Store these values securely, and share them only with other administrators.

5. Click Regenerate Agent Credentials if you are applying the Access ID and Access Key to replica instances or if you need to generate new credentials for your authentication agents. You cannot cancel the process. The new credentials are saved as soon as you regenerate them. You do not need to click Save.

6. (Optional) In the Communication Port field, enter the port number that authentication agents will use to communicate with the RSA SecurID Authentication API. The default is 5555.

7. Click Apply Settings. The RSA Authentication API is enabled on the primary instance. If no agent credential is present, one is generated automatically.

8. To apply the changes to the replica instances, do the following:

1. On each replica instance, log on to the Security Console, and go to Setup > System Settings.
2. Under Authentication Settings, click RSA SecurID Authentication API.
3. Click Apply Settings. The RSA SecurID Authentication API changes are applied to the replica instance.
4. Repeat these steps on each replica instance.

After you finish 

• If you are using an HMAC for authentication requests, see Generate an HMAC for Authentication Agents.
• Use the Security Console to add authentication agents that use the REST protocol. For more information, see Deploying an Authentication Agent That Uses the REST Protocol.
• Authentication agents that use the REST protocol use a REST server URL for communication between the authentication agent and AM. The URL contains a Fully Qualified Host Name (FQHN) which is resolved by the authentication agent to the addresses of the AM instances that should be used for authentication. You could choose to create a specific FQHN to represent the active AM instances in your deployment, and use DNS to add or remove AM instances from being used for authentication.