Delete a Large Number of Expired Tokens from the Authentication Manager 8.x Database
2 months ago
Originally Published: 2018-01-09
Article Number
000063343
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
Product Name: Authentication Manager Bulk Administration (AMBA)
 
Issue
Customer has a requirement to delete a large number of expired tokens from the authentication manager database.
Resolution

RSA Authentication Manager Bulk Administration has three actions for deleting tokens from the authentication manager database: UT, DT & RT.

The following action information was taken from the RSA Authentication Manager Bulk Administration (AMBA) Custom Application Guide.

Unassign Token (UT)
 
Unassigns a token from a user. If the user has no other tokens, this function also deletes the user record from the database, provided that

  • The user is not an administrator.
  • The user is not enabled on any Agent Host.
  • The user does not belong to any group.
  • The user record has no extension fields.

Unless all of these requirements are met, the token is not unassigned nor is the user deleted. If you only want to unassign the token and leave the user account in place, use Rescind Token.
 
Action UT
Required Fields TokSerial
Optional Fields None
 
Delete Token (DT)
 
Deletes from the database the record of an unassigned token identified by TokSerial.
 
Action DT
Required Fields TokSerial
Optional Fields None
 
Rescind Token (RT)
 
The token specified will be unassigned. No other action regarding this user is performed.
 
Action RT
Required Fields TokSerial
Optional Fields None

NOTES

  • ‘Unassign Token’ relies on conditions where the user account also gets removed as well as the token.
  • ‘Delete Token’ requires the token to be unassigned from the user first.
  • ‘Rescind Token’ unassigns the token from the user and leaves the user in the database. This leaves the token in an unassigned state which can be removed using the ‘Delete Token’ action.

 
Example Using Rescind Token & Delete Token
 
The following AMBA example un-assigns the token from two end users and then deletes the tokens that were assigned to these two users. 

Example command used at the command line from the /opt/rsa/am/utils folder: 

./rsautil AMBulkAdmin -i AMBA/actions.txt -o outputlog --verbose -a superadmin -P <password> --lic AMBA/11307-2014.lic
NOTE: customers with an RSA Authentication Manager 8.2 or later enterprise license will not require the --lic parameter.
 

Contents of AMBA/actions.txt

Action,TokSerial
RT,000413095210
DT,000413095210
RT,000413095211
DT,000413095211

Data written to outputlog

BOJ    : 2017-11-30 13:35:00 - 1.5.0 Build 105 - License expires at midnight on 2035-12-31 - Input = AMBA/actions.txt
Info   : 2017-11-30 13:35:00 - License Number: 11307-2014 - Issued To: RSA CS APJ - Issued On: 03/23/2014
Info   :                                                                -Output Log File Opened
Info   :                       Line     1                               -Header Line
Info   :                                                                -Entering rescindToken
Success: 2017-11-30 13:35:00 : Line     2 - rescindToken                -000413095210
Info   :                                                                -Leaving rescindToken
Info   :                                                                -Entering deleteToken
Success: 2017-11-30 13:35:00 : Line     3 - deleteToken                 -000413095210
Info   :                                                                -Leaving deleteToken
Info   :                                                                -Entering rescindToken
Success: 2017-11-30 13:35:01 : Line     4 - rescindToken                -000413095211
Info   :                                                                -Leaving rescindToken
Info   :                                                                -Entering deleteToken
Success: 2017-11-30 13:35:01 : Line     5 - deleteToken                 -000413095211
Info   :                                                                -Leaving deleteToken
Info   :                                                                -Closing input file
Info   :                                                                -Closing rejected actions file
Info   :                                                                -Closing unsupported actions file
Info   :                                                                -Log File Closed
Info   :                                                                -Exit code: 0
EOJ    : 2017-11-30 13:35:01 - Terminating
Notes

Requires AMBA to be installed on the authentication manager primary instance.
Refer to the RSA Authentication Manager Bulk Administration Custom Application Guide for AMBA installation instructions.

Related Articles

Trending Articles

Don't see what you're looking for?