This section describes how to integrate SailPoint IdentityNow with RSA Authentication Manager using SecurID Authentication API.

Configure RSA Authentication Manager

Prerequisites

You must complete the following prerequisites on your IdentityIQ host to configure RSA Authentication

1. Configure at least one virtual appliance cluster and successfully test the connection.

2. Meet the requirements necessary to support TLS communication in the virtual appliance you plan to use with this source.

3. Ensure that a valid TLS certificate is present in the correct directory. For example, /home/sailpoint/certificates.

Procedure

1. 1. Importing the Server Root Certificate

      1. To export the server root certificate:

         Change directories to <RSA_AM_HOME>/appserver/ and enter the following cmd:

         jdk/jre/bin/keytool -export -keystore RSA_AM_HOME/server/security/<your_server_name>.jks -file <your_root>.cer -alias rsa_am_ca

         At the prompt for keystore_password, click Enter without the password.

         Notes:

         Ignore the warning message that appears as the server root certificate will still be exported.

         In the above directory path, the <RSA_AM_HOME> directory is a generic placeholder for /opt/rsa/am path and <your_server_name>.jks is a placeholder for caStore.jks keystore.

      2. To import the certificate, locate the server root certificate file that you exported from Authentication Manager, and copy it to the VA location: /home/sailpoint/certificates.

      3. Restart the CCG.

1. Set the command line Client User Name and Password. When you install RSA Authentication Manager, the system creates a user name and password for securing API connections to a command server. Follow the procedure below to obtain the command client user name and password from RSA Authentication Manager.

   1. Open a command prompt on your RSA Authentication Manager host, change directories to RSA_AM_HOME/utils and enter the following command: rsautil manage-secrets --action list

   2. When prompted, type your Operations Console username and password. (You created the Operations Console username and password when you configured RSA Authentication Manager.) The system will display the list of your internal system passwords.

   3. Locate the values for your command client user name and password.
      For example:

      Command Client User Name .................: CmdClient_ys0x7d41

      Command Client User Password .............: e9SHbK0W4i

2. Create an RSA Authentication Manager Account for Connector Operations.

   1. The connector requires an RSA Authentication Manager administrative user account with special permissions in order to perform aggregation and provisioning operations. Refer SailPoint IdentityIQ RSA Authentication Manager Connector guide for relevant permissions.

Configure SailPoint IdentityNow

Perform these steps to configure SailPoint IdentityNow with RSA Authentication Manager.

Procedure

1. Login to IdentityIQ as a superadmin user.

2. Select the Connection tab and click the New button to create new source.

   

3. Select RSA Authentication Manager from the Source Type dropdown list and enter Source Name, Description, Source Owner, Connection Type as Direct Connection, Governance Group for Source Management (Optional). The Source Owner is the person responsible for administering, operating, and managing the source system.

   

4. Under the Config Tab enter in the required Configuration paramaters:

   Attribute	Description.
   Service Account	The service account name of the administrator to connect RSA Authentication Manager Server.
   Password	The password of the administrator mentioned above.
   Command Client user	The command client user name.
   Command Client Password	The password corresponding to the Command Client User.
   Hostname or IP Address	The host name of the RSA Authentication Manager server.
   Port	The port to use to connect to RSA Authentication Manager. Default port: 7002
   Realm	The name of the realm to manage. By default, you can specify SystemDomain if the Realm name is not modified.
   Identity Source	Identity Source name linked to the realm. By default, you can use Internal Database as the source name if that is the only RSA Authentication Manager you want to manage. Else, it can be any external database that you configured in the RSA Operations Console on the RSA Authentication Manager managed system.
   Security Domain	Specify the name of the security domain to manage. If not specified, the top-level security domain in the Realm will be considered. By default, this is SystemDomain.
   Search Subdomains	Select Search Subdomains if child subdomains also need to be managed

   1. Select appropriate Virtual Appliance Cluster. A virtual appliance (VA) is a Linux-based virtual machine that connects to your sources and apps using APIs, connectors, and integrations already available from SailPoint.

   2. Enter the server’s hostname and API connection port number in the Host and Port fields.

   3. Enter your RSA Authentication Manager administrator’s username and password in the Administrator and Password fields.

   4. Enter the RSA Command Client User’s username and password in the Command Client Username and Command Client Password fields.

   5. Enter the name of the RSA Authentication Manager realm you will manage in the Realm field and the realm’s identity source name in the Identity Source field.

   6. Enter the name of the security domain you will manage in the Security Domain field. If you would like to manage its sub domains as well, check the Search SubDomains checkbox.

      

5. Click the Save button.

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SecurID Authentication API configuration to your use case.

See main page for more certification information.