Setting up the RSA Server
1. The Authentication Agent (TPAM IP Address) added to the RSA server.
2. The system is tested to see if it can resolve IP or Hostname of the TPAM server.
3. Verify the Agent Type:
Test Access from RSA server
Click on Access | Test Access:
Enter the IP of the Authenticating Agent (TPAM):
Manage the Node Secret
1. The node secret is an encrypted password that is shared between the authentication agent and RSA Authentication Manager, which allows secure communication between them. A node secret file is automatically generated and shared the first time the agent authenticates with Authentication Manager.
2. Click Access | Authentication Agents
3. Use the search fields to find the agent with the node secret you want to manage or Select from the list
4. From the list of agents, click the agent with the node secret you want to manage.
5. From the Context menu, click Manage Node Secret.
6. To clear the node secret from the Authentication Manager server, select the Clear Node Secret checkbox.
Generate Configuration File
To enable SecureID authentication you first need to generate an 'sdconf.rec' file from your ACE SERVER. Please ensure that the Client has installed the appliance as an Authenticating agent and has tested the communication prior to creating the sdconf.rec file.
You will need to upload this file to the /admin Interface. See Configuring TPAM below.
1. In RSA Security Console
2. Click Access | Authentication Agents | Generate Configuration File
3. Click Download Now
4. Save File
SecurID External Authentication
In the admin Interface https://<ipaddress>/admin
1. Click on System Status & Settings | External Authentication | SecurID
2. Browse to the sdopts.rec file that you created
3. Click Upload
4. Click Import Options File
5. Change the Import File Type to sdconf.rec file
6. Browse to the sconf.rec file you downloaded from RSA
7. Click Import Options File
Successful upload of File:
In the tpam interface https://<ipaddress>/tpam
1. Click on Users & Groups | UserIDs | Manage UserIDs
2. Filter for the UserID
3. Select the User Name from the "Listing" tab
4. Click on the "Details" tab
5. Under "User Authentication" select "SecureID" for External and in the "UserID" field add the SecureID User or Group
Sign in using the RSA SecurID:
The Authentication screen may ask for Next Token code or New PIN:
Check the RSA to ensure Node secret was created.
SecurID and the Replica
In order to ensure that the "Replica" appliance is configured for external Authentication in the event of a failover the Replica must first be configured as an Authentication Agent on the RSA Server.
1. Force the Replica into "Failover" mode on the Cluster Management page of the Primary appliance (refer to the Systems Administrator Guide for steps on how to Force a Failover. A copy of the guide may be downloaded here: TPAM Appliance - Release Notes and Guides.)
2. Go to /admin interface of the Replica, select System Status/Settings | External Authentication | SecurID Config.
3. If using a sdopt.rec file, which contains client specific IP when using a cluster, upload the file to the Replica. This file is not replicated from the Primary. It is unique to each authorizing agent.
4. On the RSA server, add the IP of the Replica as an Authorization agent and verify the ports are open to the appliance.
5. Test that the RSA server recognizes the Server and forms the Node Secret.
6. Once this is complete the Replica can be put back in replicating mode (Run Level "Operational") from the Cluster Management page of the Primary appliance and will be ready to perform RSA authentication in the event of a failover (refer to the Systems Administrator Guide for steps on how to UnForce a Failover. A copy of the guide may be downloaded here: TPAM Appliance - Release Notes and Guides.)