000036919 - CUSD command generates a failure when moving tokens between security domains in RSA Authentication Manager Bulk Administration (AMBA)

Document created by RSA Customer Support Employee on Dec 21, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036919
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 or later
IssueAn administrator is using the Change User/Token Security Domain (CUSD) command to move tokens from one Security Domain to another Security Domain and it generates an error message in the AMBA output file.

Failure: yyyy-mm-dd hh:mm:ss : Line 2 - changeUserSecurityDomain - User: Unassigned, Token: 000xxxxxx123 NOT moved to Security Domaine: MyNewSecDomain - Reason: failed to find principal
CauseTokens being moved between Security domains have left over CT-KIP authcode data referencing a principal that no longer exists in the Authentication Manager database.
ResolutionAn administrator can review and remove the CT-KIP authcode data from the rsa_rep.am_ctkip_authcode table within the Authentication Manager database.

Steps to acquire the Authentication Manager database administrator password

  1. Logon to the SecurID Appliance either via SSH where Secure Shell has been enabled or the local console with the rsaadmin account.
Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Navigate to the /opt/rsa/am/utils folder using the command:

cd /opt/rsa/am/utils

  1. Retrieve the password for the rsa_dba user using the following command:

./rsautil manage-secrets -a get com.rsa.db.dba.password

NOTE: When prompted, enter the Operations Console administrative account username and password.

Report on CT-KIP authcode data

  1. To generate a report on CT-KIP authcode data use the following command:

/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT a.id, a.token_id, a.principal_id FROM rsa_rep.am_ctkip_authcode a, rsa_rep.am_principal p where a.principal_id=p.id ) TO STDOUT WITH CSV HEADER " > /tmp/report_data.csv

  1. When prompted enter the rsa_dba password obtained in step 3 above.
  2. Review the contents of the /tmp/report_data.csv:

more /tmp/report_data.csv

Removing CT-KIP authcode data

  1. To remove the CT-KIP authcode data in the rsa_rep.am_ctkip_authcode table use the folloing command:

/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "delete FROM rsa_rep.am_ctkip_authcode"

  1. When prompted enter the rsa_dba password obtained in step 3 above.

NOTE: The distribution of software tokens via dynamic seed provisioning (CT-KIP) will generate new data in the rsa_rep.am_ctkip_authcode table.

NotesFor more information on the Change User/Token Security Domain (CUSD) refer to page 62 of the RSA Authentication Manager 8.3 Bulk Administration Utility (AMBA) Guide.

The syntax will be as follows: