RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

• When trying to access the RSA Authentication Manager Security Console, the following error is seen:

• When configuring the RADIUS server: 

Tasks to complete:

1. Access Authentication Manager primary via SSH or console.
2.  Navigate to /opt/rsa/am/utils.
3. Run the restore-admin command to create a temporary admin user.

It is a good idea to create this admin account with the date appended to it, e. g., scadminNov132025

Do NOT include the -p <tempAdminPassword> value on the rsautil command line because the password will remain the the Linux history and special character combinations in a password can be interpreted instead of copied, resulting in unknown password. Let the utility prompt you for new <tempAdmin> password.

I.  How to reset/restore an unknown super admin password when you know the Operations Console administrator password

1. SSH to the Authentication Manager primary server with the rsaadmin account and the operating system password created during deployment.
2. Navigate to /opt/rsa/am/utils.

3. Run the restore-admin utility. Here we are creating a new temp admin named scadminNov132025 (./rsautil restore-admin -u scadminNove132025).  Note: The temp admin user must be unique, it cannot already exist
4. When compete, there will be a message that the temporary admin is only valid for 24 hours.

5. Login to the Security Console to update your original admin's password.

• It is good to avoid the following special characters: 

• It is safer to enter the super admin password when prompted, as opposed to on the command line with the -p switch. See notes above.
• RSA Authentication Manager appliances have three main login accounts with passwords:
  1. The super admin account is used to login to the Security Console on port 7004.  This account is stored in the internal database.
  2. The Operations Console admin account is used to login to the Operations Console on port 7072.  This account is store in a system file.
  3. The rsaadmin account, aka the operating system account, for access into Linux.
• When you deploy an Authentication Manager 8.x server with Quick Setup you are creating these three accounts. 
• The super admin account is replicated to all replicas through in-band replication.
• The Operations Console admin account is replicated to all replicas through Out Of Band (OOB) replication.
• The rsaadmin account is not replicated and could be unique to each primary and replica within a deployment realm. If you change it on the primary, you must change it on the replicas to keep it in sync.
• If you know at least two of these accounts and passwords, you can reset or recover the other one.