configure_mfa

This command configures multi-factor authentication.

Before you run this command, make sure that your authentication application is configured. For DUO, define applications and users. For RSA SecurID, configure the RSA SecurID Authentication Manager.

This API is available in Guardium V11.2 and later.

REST API syntax

This API is available as a REST service with the POST method. Call this API as follows:
POST https://[Guardium hostname or IP address]:8443/restAPI/configure_mfa

GuardAPI syntax

configure_mfa parameter=value

Parameters

Parameter Value type Description
accessKey String RSA SecurID only.

From the RSA SecurID Console, generate the access key from the RSA SecurID Authentication API under Authentication Settings.

apiHost String The API host string.
  • For DUO, the apiHost is from DUO.
  • For RSA SecurID, the fully qualified domain name of the Authentication Manager.
clientId String RSA SecurID only.

The Hostname from the Add New Authentication Page of the RSA Security Console.

enable Boolean Required. Valid values:
  • false: Disable multi-factor authentication.
  • true: Enable multi-factor authentication.
exemptUsers String A comma-separated list of users to exempt from secondary authentication. You cannot exempt administrative OS (SSH) users.
iKey String DUO only. The integration key.
loginPath String Required. Determines whether to provide multi-factor authentication to the Guardium GUI, CLI, or SSH. Valid values:
  • GUI: Guardium GUI
  • SET_GUIUSER: Guardium CLI
  • SSH: Guardium administrative OS users (cli and guardcli1 - guardcli9) who log in to the CLI via SSH.
mfaType String Required. The authentication type. .

For valid values, call configure_mfa from the command line with --help=true.

port Integer RSA SecurID only.

The communication port from the Add New Authentication Page of the RSA Security Console. The default is 5555.

sKey String DUO only. The secret key (from DUO).
verifySSL Boolean RSA SecurID only.

Required for SSH users only. Determines whether to verify the server-side certificate for the RSA SecurID Authentication Manager.

Before you run this command with verifySSL='true' , you need to upload the CA or self-signed certificate, which must be in PEM format. For more information, see either Configuring multi-factor authentication with RSA SecurID or store certificate rsa securid.

Valid values:
  • false: Do not verify the SSL certificate.
  • true: Verify the SSL certificate.
api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.

GuardAPI examples with DUO

This example configures multi-factor authentication for the Guardium GUI with DUO.

grdapi configure_mfa loginPath=GUI mfaType=DUO exemptUsers="admin, accessmgr" enable=true iKey=DIATOT8H1OXXXX sKey=2gMRXVj2iQXXXX apiHost=api-ccccc.duosecurity.com
This example configures MFA with DUO for Guardium CLI users.
grdapi configure_mfa loginPath=SET_GUIUSER mfaType=DUO exemptUsers="admin, accessmgr" enable=true iKey=DINT141B9I2N91SXXXXX sKey=3gMRXVj2iQXXXX apiHost=api-ddddd.duosecurity.com
This example disables MFA with DUO for Guardium SSH users.
grdapi configure_mfa loginPath=SSH mfaType=DUO enable=false

GuardAPI examples with RSA SecurID

This example configures MFA forGUI users with RSA SecurID.
grdapi configure_mfa loginPath=GUI mfaType="RSA SecurID" exemptUsers="admin, accessmgr" 
port=5555 verifySSL=false clientId=platform-vm10.mycompany.com 
accessKey=t0qx4zg7agcd2gqtad414a353318i85808r428p5pbwcgc33gn8381234567
apiHost=rsa88.mycompany.com enable=true
This example disables MFA for SSH users:
grdapi configure_mfa loginPath=SSH mfaType="RSA SecurID" enable=false