CUSD command generates a failure when moving tokens between security domains in RSA Authentication Manager Bulk Administration (AMBA)
Originally Published: 2018-11-05
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 or later
Issue
Failure: yyyy-mm-dd hh:mm:ss : Line 2 - changeUserSecurityDomain - User: Unassigned, Token: 000xxxxxx123 NOT moved to Security Domaine: MyNewSecDomain - Reason: failed to find principal
Cause
Resolution
An administrator can review and remove the CT-KIP authcode data from the rsa_rep.am_ctkip_authcode table within the Authentication Manager database.
Steps to acquire the Authentication Manager database administrator password
- Logon to the SecurID Appliance either via SSH where Secure Shell has been enabled or the local console with the rsaadmin account.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
- Navigate to the /opt/rsa/am/utils folder using the command:
cd /opt/rsa/am/utils
- Retrieve the password for the rsa_dba user using the following command:
./rsautil manage-secrets -a get com.rsa.db.dba.password
NOTE: When prompted, enter the Operations Console administrative account username and password.
Report on CT-KIP authcode data
- To generate a report on CT-KIP authcode data use the following command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT a.id, a.token_id, a.principal_id FROM rsa_rep.am_ctkip_authcode a, rsa_rep.am_principal p where a.principal_id=p.id ) TO STDOUT WITH CSV HEADER " > /tmp/report_data.csv
- When prompted enter the rsa_dba password obtained in step 3 above.
- Review the contents of the /tmp/report_data.csv:
more /tmp/report_data.csv
Removing CT-KIP authcode data
- To remove the CT-KIP authcode data in the rsa_rep.am_ctkip_authcode table use the folloing command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "delete FROM rsa_rep.am_ctkip_authcode"
- When prompted enter the rsa_dba password obtained in step 3 above.
NOTE: The distribution of software tokens via dynamic seed provisioning (CT-KIP) will generate new data in the rsa_rep.am_ctkip_authcode table.
Notes
For more information on the Change User/Token Security Domain (CUSD) refer to page 62 of the RSA Authentication Manager 8.8 Bulk Administration Utility (AMBA) Guide.
The syntax will be as follows:
Action,DefLogin,SecurityDomain,DestinationSecurityDomain,MiscVariable CUSD,<all>,MyOldSecDomain,MyNewSecDomain,4
Related Articles
Moving users across security domains using RSA Authentication Manager Bulk Administration (AMBA) Number of Views Move Users Between Security Domains Number of Views Moving Users in an LDAP Directory Number of Views A Request Workflow in the Canceling state does not move to the Cancelled state in RSA Identity Governance & Lifecycle Number of Views Unable to delete a Security Domain in RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Disabling weak ciphers using port 1813 in RSA Authentication Manager 8.3 patch 1
Don't see what you're looking for?
