Configure the SecurID Authentication API for Authentication AgentsConfigure the SecurID Authentication API for Authentication Agents
The SecurID Authentication API is a REST service that allows you to use clients or authentication agents to securely pass user authentication requests to and from RSA Authentication Manager. After you install authentication agents that use the REST protocol, you must configure the SecurID Authentication API.
When you enable the SecurID Authentication API, you generate the Access ID and Access Key. Authentication agents can use the Access ID and Access Key to interact with the SecurID Authentication API. The agents include these credentials in the HTTP header for authentication requests.
The default mode for authentication agents uses the Access Key. To use both the Access ID and the Access Key, you can enable an Hash-based Message Authentication Code (HMAC) mode for the SecurID Authentication API. The HMAC mode allows the agent to encrypt authentication requests with a hash for the request body and an HMAC signature.
On the primary instance, log on to the Security Console, and go to Setup > System Settings.
Under Authentication Settings, click SecurID Authentication API.
Select the Enable Authentication API checkbox.
The Access ID and Access Key are generated and displayed.
Authentication agents need the Access Key to use the SecurID Authentication API, unless you are using HMAC mode which requires both values. The same Access ID and Access Key values are used for the SecurID Authentication API on all of the Authentication Manager instances in the deployment.
Note: Copy these values to a secure location where you can access them when you configure authentication agents that use the SecurID Authentication API. The Access ID and Access Key are sensitive data, and the Access Key is confidential. Store these values securely, and share them only with other administrators.
Click Regenerate Agent Credentials if you are applying the Access ID and Access Key to replica instances or if you need to generate new credentials for your authentication agents. You cannot cancel the process. The new credentials are saved as soon as you regenerate them. You do not need to click Save.
(Optional) In the Communication Port field, enter the port number the authentication agents will use to communicate with the SecurID Authentication API. The default is 5555.
Click Apply Settings. The RSA Authentication API is enabled on the primary instance.
To apply the changes to the replica instances, do the following:
- Make sure that you regenerated the credentials in Step 4.
- On each replica instance, log on to the Security Console, and go to Setup > System Settings.
- Click Apply Settings. The SecurID Authentication API changes are applied to the replica instance.
- Repeat these steps on each replica instance.
After you finish
- If you are using an HMAC for authentication requests, see Generate an HMAC for Authentication Agents.
- Use the Security Console to add authentication agents that use the REST protocol. For instructions, see Deploying an Authentication Agent That Uses the REST Protocol.
- Authentication agents that use the REST protocol use a REST server URL for communication between the authentication agent and Authentication Manager. The URL contains a Fully Qualified Host Name (FQHN) which is resolved by the authentication agent to the addresses of the Authentication Manager instances that should be used for authentication. You could choose to create a specific FQHN to represent the active Authentication Manager instances in your deployment, and use DNS to add or remove Authentication Manager instances from being used for authentication.
Generate an HMAC for Authentication Agents
Deploying an Authentication Agent That Uses the REST Protocol