The utility manage-readonly-dbusers does not work to subnet in spite of using -n option with RSA Authentication Manager 8.2 SP1 and above
Originally Published: 2019-11-15
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 SP1, 8.3, 8.4 patch 6
Issue
When running ./rsautil manage-readonly-dbusers CLU with the -n option, the expected result is that the user is created, and the subnet is allowed to access. The user is created, but the subnet is not accessible.
Cause
- You created a new database readonly user using the command below. Where -X (debug mode) -a (action - create) -o (OC user) -u (new db username) -i (IP address of client) -n (IP mask of client machine(s)).
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-readonly-dbusers -X -a create -o ocadmin -u dbreaduser -i 10.114.187.0 -n 255.255.255.0 Enter Operations Console (OC) password: <enter Operations Console admin password> Enter password for the read-only database user: <enter read-only database user password> Confirm password for the read-only database user: <re-enter read-only database user password> Executing action: 'create'. Trusted Root SSL CA certificate was copied in file '/opt/rsa/am/utils/RSAAMTrustedRootSSLCA.crt'. 'create' action complete.
- Cat the pg_hba.conf file for the name of the read only user:
rsaadmin@am82p:/opt/rsa/am/utils> cat /opt/rsa/am/rsapgdata/pg_hba.conf | grep dbreaduser hostssl all dbreaduser 10.114.187.0 255.255.255.0 md5
- Change to the root user and check iptables for port 7050, using options to list the rules with numeric output:
# rsaadmin@am82p:/opt/rsa/am/utils> sudo su - rsaadmin's password: <enter operating system password> am82p:~ # /usr/sbin/iptables -L -n -v | grep 7050 0 0 ACCEPT tcp – * * 10.114.187.0 0.0.0.0/0 tcp dpt:7050 0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7050
- Cat iptables for references to port 7050 to confirm changes:
am82p:~ # cat /etc/sysconfig/iptables | grep 7050 -A INPUT -s 10.114.187.0/32 -p tcp -m tcp --dport 7050 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7050 -j DROP
Workaround
- Enable Secure Shell on the Appliance
- Log On to the Appliance Operating System with SSH
- Switch to the root user
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Thu Jan 2 15:50:00 2020 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am82p:~> cd /opt/rsa/am/utils rsaadmin@am82p:~> sudo su - rsaadmin's password: <enter operating system password>
- Edit /etc/sysconfig/iptables. For example, change from /32, as shown:
-A INPUT -s 10.24.0.0/32 -p tcp -m tcp --dport 7050 -j ACCEPT
to /24:
-A INPUT -s 10.24.0.0/24 -p tcp -m tcp --dport 7050 -j ACCEPT
- Restart the iptables service:
am82p:~ # service iptables restart Restarting iptables
Notes
Related Articles
'com.aveksa.server.db.PersistenceException:n/a' errors when importing business source metadata into RSA Identity Governanc… Number of Views Oracle Collector Error "Non supported character set (add orai18n.jar)" in SecurID Governance & Lifecycle Number of Views Access Manager 6.1sp4 and 6.2 Broke I18N internationalization support in AdminGUI Number of Views LDAP Collectors report 'No subject alternative names matching IP address n.n.n.n found' in RSA Identity Governance & Lifec… Number of Views Why are there N/A's seen in BackOffice Cases Transactions and Reports? Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA Release Notes for RSA Authentication Manager 8.8
Don't see what you're looking for?
