Configure the RSA token authentication mechanism

We can use the console to configure the RSA token authentication mechanism.

The RSA token authentication mechanism can only be used for administrative requests. The authentication mechanism choices for administrative authentication are part of the Global Security panel of the administrative console.

RSA token authentication mechanism is the default selection for the application server, Kerberos on the main authentication mechanism panels of the administrative console as well as configure RSA token authentication. During registration of a base profile with the administrative agent, the trusted certificates on both sides are updated with the root signer for the other. The same process occurs during registration of an administrative agent or deployment manager with a job manager. When removing the registration, the trusted signers are removed from both sides so that trust is no longer established.

By default, the RSA mechanism is set up correctly during the registration tasks, such as registerNode or registerWithJobManager. No further actions are necessary to establish trust within these environments. However, if you must establish trust between two base servers or between two admin agents, for example, we can use the following steps to further configure the RSA token authentication mechanism:

1. Click Security > Global security . Under Administrative security click the link to Administrative authentication.

2. Select the RSA token radio button. Select a data encryption keystore from the drop-down list. The option is recommend for flexible systems administration.

3. Optional: To exchange the root signers between two base servers:

   1. Select the root keystore from the Data encryption keystore drop-down list (such as NodeRSATokenRootStore).

   2. Click Extract Signer.

   3. Enter a fully qualified name in the Certificate file name field.

   4. Click OK.

4. Optional: Transfer the extracted root signer to the other server, and add it to that server's trusted signers keystore:

   1. Select the trusted keystore from the drop-down list (such as NodeRSATokenTrustedStore).

   2. Click Add Signer.

   3. Enter a unique name for the Alias.

   4. Enter a fully qualified name for the signer key file.

   5. Click OK.

5. Enter the nonce cache timeout value.

6. Enter token timeout value.

7. Click Apply and Save.

Results

You have configured the RSA token authentication mechanism.

Subtopics

• RSA token authentication settings
  Use this panel to configure RSA token authentication.

• (dist) RSA token certificate use
  The RSA token uses certificates in a similar way that SSL uses them. However, the trust established for SSL and RSA are different, and RSA certificates should not use SSL certificates and vice versa. The SSL certificates can be used by pure clients, and when used for the RSA mechanism would allow the client to send an RSA token to the server. The RSA token authentication mechanism is purely for server-to-server requests and should not be used by pure clients. The way to prevent this is to control the certificates used by RSA in such as a way so they are never distributed to any clients. There is a different root certificate for RSA that prevents trust being established with clients who only need SSL certificates.

Related concepts

Job manager security

Related tasks

Select an authentication mechanism