This section describes how to integrate RSA  Authentication Manager with Fortra BoKS ServerControl using RSA MFA API (REST).

Agent Host Configuration

To facilitate communication between the BoKS host and RSA Authentication Manager/RSA SecurID Appliance, an Agent host record must be added to the RSA Authentication Manager database.

The Agent Host record identifies the BoKS Server Agent, either with a generic name that can be the same for many hosts, or with IP address and hostname for the specific host. Set the Agent Type to “Standard Agent” when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with the BoKS host will occur.

In addition to this, the user performing the access in BoKS must also exist in the in the RSA Authentication Manager database and have a token assigned.

Fortra BoKS ServerControl Configuration

This section provides instructions for configuring the BoKS Server Agent with RSA  Authentication Manager.

To use SecurID tokens together with BoKS Manager, you need to:

• Have RSA Authentication Manager up and running in the BoKS domain.
• Configure the BoKS Master to use the RSA Authentication Manager as an external authentication service.

From BoKS version 8.1, the RSA MFA API (REST) is supported using the BoKS program securidrest. This protocol is supported by RSA Authentication Manager 8.2 SP1 and later.

To configure the BoKS hosts for communication with an RSA Authentication Manager (MFA API):

1. Retrieve the root certificate and the Access Key from RSA Authentication Manager. For details, see the RSA Authentication Manager documentation set.
2. Import the root certificate into the BoKS database.

For example, where the certificate has been transferred to the BoKS Master and saved as

/tmp/RootCA.pem, you can import the certificate into the BoKS database using the command:

BoKS # cacreds set -f /tmp/RootCA.pem -c VERIFY

3. Using the extauthadm program, configure the settings for communication with the RSA Authentication Manager REST API.

For example:
BoKS # extauthadm -a -t securid -u <server-uri> -d ACCESSKEY=<access-key-value>[,AGENTNAME=<agent-name>]

Where:

server-uri is the address to the RSA Authentication Manager in the form https://hostname

[:port]. If the port is not set, the default value of 5555 is used.
access-key-value is the value for the Access Key retrieved from the RSA Authentication Manager. This value must be supplied.

agent-name is the name of the authentication agent for RSA SecurID (set on the RSA Authentication Manager). If not supplied, and a locally defined value for the name is not set on the BoKS host, the hostname is used by default.

To configure a BoKS host for communication with an RSA Authentication Manager (REST API):

4. Using boksconfig, set the following configuration variable:
   BoKS # boksconfig --set authentication/securid/version --value rest
   
   If required, you can also set the name of the authentication agent on a single host using the following variable: 
5. Using boksconfig, set the following configuration variable: 

   BoKS # boksconfig --set authentication/securid/agent-name \

   --value <name of agent>

   If set on the host, this value has precedence over any value set for the authentication agent for the domain on the Master, see the extauthadm command in the previous step.

Before a user can log in to a host using RSA SecurID token, the user must have a SecurID authenticator assigned and an appropriate access rule for the service used must be added. To enforce SecurID authentication for all access the user requests, the SecurID authenticator must be set as mandatory.

For detailed information, see the RSA Authentication Manager documentation and the BoKS manager Administration Guide.

Configuration is complete.

Return to main page.