This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Splunk integration with RSA Authentication Manager using REST API

Article Number

000067941

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 SP1 or above

Issue

  • This protects Splunk with RSA Authentication Manager.
  • Setting up the REST API as an authentication agent.
  • The REST API is very useful as it doesn't restrict you to a specific code or programming language.

Resolution

First, enable the REST API interface from the Security Console. (Note you must be running RSA Authentication Manager 8.2 SP1 or above to access this interface.)
  1. Navigate to Setup System Settings > RSA SecurID Authentication API.
  2. Check the box to Enable Authentication API.
  3. Note the values for the Access Key.
  4. You can change the value for the communication port number to any free port.
  1. Add an agent entry in the Security Console:
  2. Select Access > Authentication Agents > Add New.
  3. Add the agent name.  Any name will do, but note that it will be used as the clientId in the requests below.
  4. Login to the Splunk server.
  5. Navigate to /opt/splunk/etc/apps/<app_name>/local/authentication.conf:

cd /opt/splunk/etc/apps/<APP_NAME>/local
  1. The <app_name> shall be the application used by Splunk. (e.g. launcher)
  2. In case of launcher, it will be as below: 
    
cd /opt/splunk/etc/apps/launcher/local
  3. Edit the authentication.conf file: 
    
vi authentication.conf
  4. Fill in the following:  
    
[rsa-mfa] 
accessKey = <Access_Key_From_Security_Console>
authManagerUrl = https://<Primary_RSA_Server_Hostname>:5555/ 
clientId = <Agent_Name_Created_Above> 
enableMfaAuthRest = 1 
failOpen = 0 
replicateCertificates = 1 
sslRootCAPath = <Mention__The_Path_to_RSA_Console_certificate> (eg. $SPLUNK_HOME/etc/auth/rsa-2fa/cert.pem)
timeout = 15 
[authentication] 
externalTwoFactorAuthVendor = rsa 
externalTwoFactorAuthSettings = rsa-mfa
  5. After making the above changes, save the configuration file:
    1. Press ESC then type :wq! then press Enter.
  6. Finally, restart the Splunk server 
    
/opt/splunk/bin/splunk restart

Notes

To export the console certificate
  1. Navigate to the Security console 
  2. Export the certificate Base-64 encoded X.509 (.CER)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-09-22 05:05 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.