Create a report of online emergency access tokencodes and emergency access tokencode lifetimes for RSA Authentication Manager 8.x
Originally Published: 2020-05-12
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
- Type of emergency access tokencodes:
- Temporary fixed tokencode, or
- Set of one time tokencodes
- Emergency access tokencode lifetime
Resolution
- Enable Secure Shell on the Appliance.
- Log On to the Appliance Operating System with SSH.
- Launch an SSH client, such as PuTTY.
- Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.
During Quick Setup, another username may have been selected. Use that username to log in.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
- Connect to the RSA Authentication Manager database and enter credentials for the Operations Console administrator when prompted.
- The .com.rsa.db.dba.password is returned. This password is unique to each deployment of RSA Authentication Manager.
rsaadmin@primary:~> cd /opt/rsa/am/utils
rsaadmin@primary:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.db.dba.password: ijMFjf61f2VZMA2JMBmOnJqUSYsXby
rsaadmin@primary:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.db.dba.password: ijMFjf61f2VZMA2JMBmOnJqUSYsXby
- Access the database with the com.rsa.db.dba.password captured above:
rsaadmin@primary:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@primary:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password captured in step 6>
psql.bin (9.4.1)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.
db=#
rsaadmin@primary:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password captured in step 6>
psql.bin (9.4.1)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.
db=#
- Run the following query to get both the set of one time tokencodes and temporary fixed tokencodes:
db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, amt.emergency_access_mode, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND TOKEN_TEMP_STATUS_EXPIRY_DATE is not null; loginuid | token_temp_status_expiry_date | emergency_access_mode | serial_number
----------+-------------------------------+-----------------------+---------------
iman | 2020-05-26 21:59:00 | 2 | 000116033641 (set of one time tokencodes)
camerica | 2020-05-26 21:59:00 | 1 | 000116033642 (temporary fixed tokencode)
(2 rows)
----------+-------------------------------+-----------------------+---------------
iman | 2020-05-26 21:59:00 | 2 | 000116033641 (set of one time tokencodes)
camerica | 2020-05-26 21:59:00 | 1 | 000116033642 (temporary fixed tokencode)
(2 rows)
Where,
1 = Temporary fixed tokencode
2 = Set of one time tokencodes
1 = Temporary fixed tokencode
2 = Set of one time tokencodes
- To list the temporary fixed tokencode only:
db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, eac_expires_on, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND amt.EMERGENCY_ACCESS_MODE=1; loginuid | token_temp_status_expiry_date | eac_expires_on | serial_number
----------+-------------------------------+----------------+---------------
camerica | 2020-05-26 21:59:00 | | 000116033642
(1 row)
----------+-------------------------------+----------------+---------------
camerica | 2020-05-26 21:59:00 | | 000116033642
(1 row)
- To list a set of one time tokencodes only:
db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, eac_expires_on, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND amt.EMERGENCY_ACCESS_MODE=2; loginuid | token_temp_status_expiry_date | eac_expires_on | serial_number
----------+-------------------------------+----------------+---------------
iman | 2020-05-26 21:59:00 | | 000116033641
(1 row)
----------+-------------------------------+----------------+---------------
iman | 2020-05-26 21:59:00 | | 000116033641
(1 row)
- For a list of previously configured tokens and users (not enabled for Online Emergency Access anymore):
db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, eac_expires_on, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND amt.EMERGENCY_ACCESS_MODE=0; loginuid | token_temp_status_expiry_date | eac_expires_on | serial_number
----------+-------------------------------+---------------------+---------------
dstrange | | 2020-06-11 23:59:59 | 000116033640
dstrange | | 2019-09-20 23:59:59 | 000406113859
(2 rows)
----------+-------------------------------+---------------------+---------------
dstrange | | 2020-06-11 23:59:59 | 000116033640
dstrange | | 2019-09-20 23:59:59 | 000406113859
(2 rows)
Related Articles
Error: 'Rep name in DB doesn't match host' appears in application log Number of Views Generate reports for extendable and nonextendable tokens in RSA Authentication Manager 8.2 or later Number of Views Are security objects cached like keys are? Number of Views Enable verbose logging for Operations Console backups for RSA Authentication Manager 8.x Number of Views How to obtain the newer version of database public schema? Number of Views
Trending Articles
Artifacts to gather in RSA Identity Governance & Lifecycle Oracle 12c TEMP_UNDO_ENABLED parameter for managing GTT UNDO activity in RSA Identity Governance & Lifecycle RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
