RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 SP1 or above
- This protects Splunk with RSA Authentication Manager.
- Setting up the REST API as an authentication agent.
- The REST API is very useful as it doesn't restrict you to a specific code or programming language.
First, enable the REST API interface from the Security Console. (Note you must be running RSA Authentication Manager 8.2 SP1 or above
to access this interface.)
- Navigate to Setup > System Settings > RSA SecurID Authentication API.
- Check the box to Enable Authentication API.
- Note the values for the Access Key.
- You can change the value for the communication port number to any free port.
- Add an agent entry in the Security Console:
- Select Access > Authentication Agents > Add New.
- Add the agent name. Any name will do, but note that it will be used as the clientId in the requests below.
- Login to the Splunk server.
- Navigate to /opt/splunk/etc/apps/<app_name>/local/authentication.conf:
- The <app_name> shall be the application used by Splunk. (e.g. launcher)
- In case of launcher, it will be as below:
- Edit the authentication.conf file:
- Fill in the following:
accessKey = <Access_Key_From_Security_Console>
authManagerUrl = https://<Primary_RSA_Server_Hostname>:5555/
clientId = <Agent_Name_Created_Above>
enableMfaAuthRest = 1
failOpen = 0
replicateCertificates = 1
sslRootCAPath = <Mention__The_Path_to_RSA_Console_certificate> (eg. $SPLUNK_HOME/etc/auth/rsa-2fa/cert.pem)
timeout = 15
externalTwoFactorAuthVendor = rsa
externalTwoFactorAuthSettings = rsa-mfa
- After making the above changes, save the configuration file:
- Press ESC then type :wq! then press Enter.
- Finally, restart the Splunk server
To export the console certificate
- Navigate to the Security console
- Export the certificate Base-64 encoded X.509 (.CER)