Enable unassigned RSA SecurID tokens in bulk for RSA Authentication Manager 8.1 SP1 or later
Originally Published: 2015-08-21
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
This can be confusing to end users and can generate Help Desk calls, especially since the steps to activate the token are listed first in the email, but will not work until token is first set to Enabled. This article provides a workaround for this situation.
Tasks
To work around this issue, an RSA Authentication Manager administrator will need to:
- Either enable unassigned tokens in bulk through the Security Console, or
- Enable all disabled tokens through a SQL update command in the PostgreSQL database.
Resolution
Enable unassigned tokens in bulk through the Security Console
A simple work-around would be enable the tokens in bulk in the Security Console?. Note that a maximum of 500 unassigned tokens can be selected at a time.- From the Security Console, select Authentication > SecurID Tokens > Manage Existing.
- Click on the Unassigned tab.
- In the Search Criteria options, define the Security Domain and search for All Unassigned Tokens.
- When the results come back, place a check next to the tokens you wish to enable.
- As in the screenshot below, change the Action box to Enable.
- Click Go.
- After clicking Go, the green check is removed from the Disabled column, indicating the token is now enabled for use. Now the user can successfully request token through Self Service Console.
Enable all disabled tokens through a SQL UPDATE command in the PostgreSQLdatabase
- Launch an SSH client, such as PuTTY, vSphere or a direct connection
- Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
- Navigate to /opt/rsa/am/utils.
- Obtain the database password with the command ./rsautil manage-secrets -a get com.rsa.db.dba.password. This password is unique for each deployment of RSA Authentication Manager.
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Wed Oct 7 16:31:13 2015 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am81p:~> cd /opt/rsa/am/utils rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password Please enter OC Administrator username: <enter Operations Console administrator name> Please enter OC Administrator password: <enter Operations Console administrator password> com.rsa.db.dba.password: rSKD5bGguLGNL9uGvFWnJoxIcHJah2
- Navigate to /opt/rsa/am/pgsql/bin.
- Connect to the PostgreSQL database:
rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba Password for user rsa_dba: psql.bin (9.2.4) SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help.
- Run the following SELECT statement:
db=# SELECT serial_number,IS_ENABLED FROM am_TOKEN WHERE IS_ENABLED='f'; serial_number | is_enabled ---------------+------------ 000031701333 | f 000031701334 | f 000031701335 | f . . .
The list of token serial numbers displayed here should match the tokens shown as Disabled in the Security Console UI.
- Enabled these tokens with an UPDATE command that sets the IS_ENABLED value from false to true:
db=# UPDATE rsa_rep.AM_TOKEN set IS_ENABLED='t' WHERE IS_ENABLED='f'; UPDATE 639
- Refresh the Security Console and compare the list of tokens with the tokens in the UI to confirm the token flag was updated successfully and the tokens are now listed as enabled.
