You can either use a custom authentication scheme if you have some specific requirements or you can use the RSA Authentication scheme as follow: RSA authentication server works as a Primary and secondary failover mode,at any point of time only one server will be the primary authentication manager server and remaining authentication manager server will be acting as a secondary server which are in read only mode authentication manager servers, ( The Primary server and secondary server will form a failover cluster(in RSA term its called as the security realm/domain) ). While creating the SDCONF.REC file for an RSA PAM agent, we will add an entry in the agent host list in the RSA authentication manager servers, by default this RSA PAM agent entry would be part of default security realm/domain in the RSA authentication manager, then we will generate the SDCONF.REC file for this agent. So it should be managed by in the SDCONF.REC file that is used in the SECURE_ID authentication scheme https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/2235700.html Hope it helps, Julien.