CUSD command generates a failure when moving tokens between security domains in RSA Authentication Manager Bulk Administration (AMBA)
2 years ago
Originally Published: 2018-11-05
Article Number
000040496
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 or later
Issue
An administrator is using the Change User/Token Security Domain (CUSD) command to move tokens from one Security Domain to another Security Domain and it generates an error message in the AMBA output file.

Failure: yyyy-mm-dd hh:mm:ss : Line 2 - changeUserSecurityDomain - User: Unassigned, Token: 000xxxxxx123 NOT moved to Security Domaine: MyNewSecDomain - Reason: failed to find principal
Cause
Tokens being moved between Security domains have left over CT-KIP authcode data referencing a principal that no longer exists in the Authentication Manager database.
Resolution
An administrator can review and remove the CT-KIP authcode data from the rsa_rep.am_ctkip_authcode table within the Authentication Manager database.

Steps to acquire the Authentication Manager database administrator password

  1. Logon to the SecurID Appliance either via SSH where Secure Shell has been enabled or the local console with the rsaadmin account.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
  1. Navigate to the /opt/rsa/am/utils folder using the command:
cd /opt/rsa/am/utils
  1. Retrieve the password for the rsa_dba user using the following command:
./rsautil manage-secrets -a get com.rsa.db.dba.password

NOTE: When prompted, enter the Operations Console administrative account username and password.


Report on CT-KIP authcode data

  1. To generate a report on CT-KIP authcode data use the following command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT a.id, a.token_id, a.principal_id FROM rsa_rep.am_ctkip_authcode a, rsa_rep.am_principal p where a.principal_id=p.id ) TO STDOUT WITH CSV HEADER " > /tmp/report_data.csv
  1. When prompted enter the rsa_dba password obtained in step 3 above.
  2. Review the contents of the /tmp/report_data.csv:
more /tmp/report_data.csv
 

Removing CT-KIP authcode data

  1. To remove the CT-KIP authcode data in the rsa_rep.am_ctkip_authcode table use the folloing command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "delete FROM rsa_rep.am_ctkip_authcode"
  1. When prompted enter the rsa_dba password obtained in step 3 above.
 

NOTE: The distribution of software tokens via dynamic seed provisioning (CT-KIP) will generate new data in the rsa_rep.am_ctkip_authcode table.

Notes
For more information on the Change User/Token Security Domain (CUSD) refer to page 62 of the RSA Authentication Manager 8.3 Bulk Administration Utility (AMBA) Guide.

The syntax will be as follows: 
Action,DefLogin,SecurityDomain,DestinationSecurityDomain,MiscVariable
CUSD,<all>,MyOldSecDomain,MyNewSecDomain,4


 
Don't see what you're looking for?