Enabling users for RSA SecurID Authentication API

To enable a user for IBM® PowerSC MFA for RSA SecurID authentication you need the user's RSA user ID. Before you can activate users, you must first create accounts for the users in RSA Authentication Manager and assign RSA tokens.

Before you begin

You must enable the Authentication API interface from the RSA Security Console. You must be running RSA Authentication Manager 8.2 SP1 or later to access this interface. The steps are summarized here; see your RSA Security Console documentation for complete details.

About this task

To enable users for IBM PowerSC MFA RSA SecurID authentication, complete the following steps:

Procedure

  1. Open the RSA Security Console.
  2. Select Setup > System settings > RSA SecurID Authentication API .
  3. Click Enable Authentication API.
  4. Click Apply Settings.
  5. Make note of the Access Key and Communication Port, you will need them later.
  6. Configure an RSA Authentication Agent for the IBM PowerSC MFA server. See your Authentication Manager documentation for details.
  7. In the IBM PowerSC MFA GUI, click the User Provisioning tab.
  8. Click the plus sign (+) control.
  9. Enter the ID for the user. The ID is the user name associated with the effective client user ID. IBM PowerSC MFA automatically saves the user ID in lowercase.
  10. Enter the Name for the user. This is a name of your choice.
  11. Enter an MFA password of your choice, if applicable. The MFA password is a special password that allows the user to log in to the IBM PowerSC MFA server for IBM PowerSC MFA-specific actions. This password is unique to the IBM PowerSC MFA server.
    Note: In this release of IBM PowerSC MFA, the IBM PowerSC MFA password is needed only for enrolling tokens for TOTP and Yubikey, and for password authentication with the password authentication method. If the user is not using these authentication methods, you can leave this password blank.
  12. Click Save.
  13. The Policies table shows all of the policies assigned to the user. Click + in the Policies section.
    The All Policies table shows all of the available policies.
  14. Select one or more policies.
    Important: For PAM client authentication, if you do not assign one or more authentication methods, the user is treated as if password fallback is enabled, irrespective of the password fallback setting for that user account. For information about password fallback, see Setting password fallback.
  15. Click Confirm.
    The Authentication Methods table shows the configured authentication methods for the policy.
  16. Select the SecurID authentication method.
  17. Click the Edit icon.
  18. You are prompted for the user-specific authentication method settings. Specify the RSA user ID for this user. If you do not specify an RSA user ID, the MFA ID is used by default.
  19. Click Confirm.
  20. Set Active to On for the authentication method.
  21. Click Confirm.
  22. The CTC Failure Count is the number of times a user consecutively fails to provide a valid credential, based on the Max CTC Check Failures Before Suspension setting in Configuring server options. If the user exceeds this limit, the Suspended control it set. You must disable the Suspended control before the user can log in.
  23. Inform users to use the out-of-band web server login page that you configured, such as 
    https://server:port/mfa/policy-name
    where port is the server authentication port you configured and policy-name is the policy the user must use. You may want to have the user bookmark this URL.
  24. When the user visits the out-of-band web login page,
    user-specific information about the methods required for the user to log in is displayed.