To ensure a secure transaction the first time a user attempts to authenticate with a SecurID passcode, the authentication agent and Authentication Manager automatically communicate using a hashed value of the unique node secret and store it on the agent computer.
The node secret is a shared secret is known only to the authentication agent and RSA Authentication Manager. Authentication agents and Authentication Manager use the node secret as a symmetric encryption key to encrypt and decrypt packets of data as they travel across the network. For example, authentication agents use the node secret to encrypt authentication requests that they send to Authentication Manager. For an authentication agent that uses the UDP protocol, the authentication agent and the Authentication Manager server must agree on the state of the node secret.
For agents that are based upon the UDP protocol, the node secret is stored in both the Authentication Manager database and in a file on the Web Agent host. For agents that are based upon the TCP/IP protocol, a node secret file is optional, and the location is specified in the rsa_api.properties file. Instead of a node secret, a dynamically negotiated key is used to encrypt the channel along with a strong encryption algorithm.
Authentication Manager automatically creates and sends the unique node secret to the agent in response to the first successful authentication on the agent.
In most deployments, automatically delivering the node secret is sufficient. However, you can choose to manually deliver the node secret for increased security. When you manually deliver the node secret to the agent, you must use the Node Secret Load utility to load the node secret on to the agent.
The Node Secret Load utility does the following:
- Decrypts the node secret file.
- Renames the file after the authentication service name, usually securid.
- Stores the renamed file on your machine. For more information on where the renamed node secret file is stored, see your authentication agent documentation.
Procedure
-
In the Security Console, click Access > Authentication Agents > Manage Existing.
-
Click the Restricted or Unrestricted tab, depending on whether the authentication agent that you want to search for is restricted or unrestricted.
-
Use the search fields to find the authentication agent with the node secret that you want to manage.
-
Click the agent, and click Manage Node Secret.
-
If you want to clear the node secret from the Authentication Manager server, do the following:
- Select the Clear Node Secret checkbox.
- To allow the authentication agent to authenticate to the server, you must also clear the node secret on the authentication agent. For instructions, see your authentication agent documentation.
-
(Optional) If you want to create a new node secret, instead of generating one automatically, select the Create Node Secret checkbox.
Enter and confirm a password to encrypt the node secret file. The maximum length is 16 characters. The minimum length, required characters, and excluded characters are determined by the default password policy for the deployment.
-
Click Save.
-
Click Download Now.
After you finish
When you manually deliver the node secret, take the following security precautions:
- Make sure that all personnel involved in the node secret delivery are trusted personnel.
- Deliver the node secret on external electronic media to the agent administrator, and verbally deliver the password. Do not write down the password. If you deliver the node secret through e-mail, deliver the password separately.
You are here
Table of Contents > Authentication Agents > Manage the Node Secret
