Skip to main content

Installing and configuring the C Authentication API

The challenge response authentication operation for agtrsaam prompts users to enter their RSA SecurID Authenticator passcode and interfaces with the RSA Authentication Server to determine if the user should be granted access to Bravura Security Fabric .

The RSA SecurID Authenticator state is determined by agtrsaam . For example, if a PIN or next code is required, agtrsaam can prompt the user accordingly.

To allow authentication from the Bravura Security Fabric server:

Configuring the RSA Authentication Manager server

If Bravura Security Fabric will authenticate users with accounts on an RSA Authentication Manager using the challenge response authentication operation for agtrsaam , you must configure the RSA Authentication Manager server to permit authentication requests from the Bravura Security Fabric server, and install the RSA Authentication Agent client software on the Bravura Security Fabric server.

The following details may vary depending on your version of RSA Authentication Manager. Consult the documentation included with your version of RSA Authentication Manager 7.1/8.2 for more information.

Configure the RSA Authentication Manager server to permit authentication requests from the Bravura Security Fabric servers. In a replicated instance, all application nodes have to be registered with the RSA service. To do this, log into the administration console on the RSA Authentication Manager server.

On RSA Authentication Manager 7.1/8.2:

  1. Click Access > Authentication Agents > Add new.

  2. Type the name of the Bravura Security Fabric server in the Hostname field.

  3. Type the network address in the IP Address field of the Bravura Security Fabric server.

  4. Click Save to add Bravura Security Fabric as a client to the RSA service.

Limiting the RSA authentication to users who have a token

If the Admin RSA API is not installed so it can list users from the RSA application itself, use a synthetic target to provide the list of users who have RSA tokens.

To prevent the RSA authentication from failing for users who don't have RSA accounts, add a user class that contains the list of users with tokens and add a rule to Manage external data store> hid_authchain_select , matching that userclass to add the RSA authentication option only for those users.

Setting up the C Authentication API

This section details how to configure the execution of the challenge response authentication operation from agtrsaam .

RSA Authentication Manager accounts can be listed one of three ways:

  1. A specific RSA Authentication Manager target. This will require installing the Java Admin API in addition to C Authentication API if you want to run administrative operations like listing users and managing tokens. See Installing and configuring the Java Admin API for information on on installing the Java Admin API.

  2. Another target system in Bravura Security Fabric . This method only requires the short ID to be passed in. For example, users can be managed on Microsoft Active Directory, provided the short IDs are the same. ^In this case an authentication chain would be set for all users on an Active Directory target system.

  3. If you do not want to install Java or the SA Authentication Manager SDK (Java Admin API) to fully configure a RSA Authentication Manager 7.1/8.2 target, and only want to use the agtrsaam connector for the challenge response authentication operation, you can add a target (usually a NULL type) with default values for the target address parameters. These address parameters are left unused when authenticating with challenge response authentication. The target will then only be used for the configuration of the authentication chain.

    If the connection to the RSA target system is going to be run through a proxy, then the RSA Authentication Agent client software must be installed on all Bravura Security Fabric application nodes as well as on the proxy.

    In this case the target will then only be used for the configuration of the authentication chain for the challenge response authentication operation using the agtrsaam connector.

    See Add RSA Authentication via connector authentication chain module for more information on the configuration of this custom authentication chain.

In order to set up the RSA Authentication Agent API (C Authentication API) and configure authentication for the Bravura Security Fabric server:

  1. Locate the RSA Authentication Agent API, which may be obtained from the RSA Link Community web site. The following may be used:

    RSA SecurID Authentication Agent SDK 8.6.1 Download for C

    Note

    The keywords to pay attention to when selecting the RSA C API are "Authentication Agent" and "C" to avoid using an agent for the wrong programming language.

  2. From the RSA Authentication Agent API, copy the following files:

    lib\64bit\nt\Release\aceclnt.dll

    lib\64bit\nt\Release\sdmsg.dll

    Also copy the following sample configuration file:

    samples\rsa_api.properties

    to the Bravura Security Fabric server here:

    c:\Windows\System32

    Note

    Ensure that aceclnt.dll is copied from the above noted location. There are other files with the same name for other RSA client software or APIs and those will not be suitable.

  3. Edit the rsa_api.properties file and add the following to the end of the file:

      SDCONF_LOC = C:\Windows\System32\sdconf.rec
  SDNDSCRT_LOC = C:\Windows\System32\securid
  RSA_LOG_FILE_LOC = C:\Windows\Temp
  RSA_BSAFE_LIBRARY_PATH=.
  RSA_AGENT_NAME = <rsa agent hostname>

  4. Ensure that <rsa agent hostname> is the Bravura Security Fabric server that is configured on the RSA Authentication Manager server to permit authentication requests.

  5. Start the newly installed RSA Agent software to ensure that you are able to connect to the RSA Authentication Manager server with the agent. A RSA administrator can help with that.

  6. To allow the RSA client to authenticate into the RSA Server, a "node secret" file is established in one of two ways:

    • Authenticate a user to establish the node secret which is the simplest option and recommended by RSA Support: Use the client itself, on every node and proxy to authenticate into the RSA Server.

      or

    • Manually generate the node secret if RSA Administrators do not allow RSA configuration to be pulled from the RSA Agents: Copy the files manually from the RSA Server admin console and place them on every application node and proxy; each server will have to have a different file, containing a different node secret.

    If the node secret is ever cleared for the Authentication Agent for the Bravura Security Fabric server in the RSA Security Console, a new node secret will need to be created, exported to a node secret file, and imported onto the Bravura Security Fabric server using one of the two options above.

Authenticate a user to establish the node secret

To use the client itself to authenticate, follow these steps from where Bravura Security Fabric or proxy is installed:

  1. Open the RSA Control Center client.

  2. Click the Advanced Tools link.

  3. Click Test Authentication.

  4. Enter the User Name for a user with a SecurID authenticator.

  5. Enter SecurID Passcode for the SecurID authenticator.

  6. Once the SecurID authenticator has been successfully authenticated, the node secret will be created for the Bravura Security Fabric server.

  7. The following files must then be manually copied to c:\Windows\System32:

    c:\program files\common files\rsa shared\auth api\failover.dat

    c:\program files\common files\rsa shared\auth data\sdconf.rec

    c:\program files\common files\rsa shared\auth data\securid

    If the RSA Agent does not create failover.dat it can be generated manually:

    1. Click Access from the menu.

    2. Click Authentication Agents from the sub-menu.

    3. Click Generate Configuration File from the sub-menu.

    4. Click the Generate Configuration File button to generate the failover.dat file.

    5. Copy the failover.dat file to c:\Windows\System32.

Manually generate the node secret file

To manually generate the node secret file on RSA Authentication Manager 7.1/8.2 and import using agent_nsload :

  1. Select Access from the menu.

  2. Select Authentication Agents from the sub-menu.

  3. Select Manage Existing from the sub-menu.

  4. Select the Authentication Agent from the list and then click on Manage Node Secret... from the drop-down list.

  5. If a node secret file had previously been generated for this Authentication Agent, click the checkbox for Clear the node secret.

  6. Select the checkbox for Create a new random node secret, and export the node secret to a file.

  7. Enter a password for the node secret.

  8. Click Save to generate the node secret file.

  9. Copy the node secret file to a temporary location on the Bravura Security Fabric server.

  10. From the RSA Authentication Agent API, copy the following files to the Bravura Security Fabric server to the same location as the node secret file:

    util\64bit\nt\Release_MT\agent_nsload.exe

    util\64bit\nt\Release_MT\sdmsg.dll

  11. On the Bravura Security Fabric server, manually load the node secret:

    agent_nsload.exe -f nodesecret.rec

    Enter the password for the node secret when prompted if one was specified when it was generated on the RSA Authentication Manager server.

    A securiid file will be generated.

  12. Copy the secureid file to c:\Windows\System32.

    Note

    Ensure you clear the sensitive files from the temp directory after the configuration is tested; you may need to keep the binaries in case the node secrets are cleared at the server. Keep the config files and the secret ones.

  13. Ensure that the RSA client configuration file sdconf.rec file has been generated for the Authentication Agent of the Bravura Security Fabric server from the RSA Authentication Manager server and optionally failover.dat .

    See Failover to determine if you need failover.dat .

    To generate the sdconf.rec and failover.dat files on RSA Authentication Manager 7.1/8.2:

    1. Select Access from the menu.

    2. Select Authentication Agents from the sub-menu.

    3. Select Generate Configuration File from the sub-menu.

    4. Click the Generate Configuration File button to generate the sdconf.rec and failover.dat files.

    5. Copy sdconf.rec and optionally failover.dat to the Bravura Security Fabric server here:

      c:\Windows\System32

After the agtrsaam agent is set up, configure and test the C Authentication API.

Configure and test the C Authentication API

Consult the vendor’s documentation for specific configuration information and test the C Authentication API.

Failover

Note the following in regard to failover authentication requests:

  • Failover authentication requests from a primary RSA Authentication Manager to a replica server are supported natively by RSA with the RSA Authentication Agent API and use of the sdconf.rec and failover.dat.

  • The replica RSA Authentication Manager servers only provide failover for the SecurID token challenge response authentication.

  • Failover support for administrative operations is not supported from the replica servers. Administrative operations may only be performed on the primary servers.

  • If a primary server is unavailable, promote a replica server as a primary server in order to perform administrative operations. The Bravura Security Fabric instance will also need to be reconfigured to make use of the new primary server for the target and sdconf.re c configuration.

In this section: