000037102 - How to generate reports for extendable and non-extendable tokens in Authentication Manager 8.2 or later

Document created by RSA Customer Support Employee on Jan 17, 2019
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000037102
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.2 or later
Issue
  • The flagged category Extendable is not available in the default Authentication Manager report templates.  The only way to check this detail from the UI is by opening the token dashboard from the Security Console (Authentication > SecurID Tokens > Manage Existing). In this dashboard you will see the Extendable column and a green check when a token is extendable.
  • As this report can't be generated from within the Security Console UI, the following database queries provide a workaround for generating the reports
Resolution
  1. Launch an SSH client, such as PuTTy.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1. Enter the following command to get the database password:

rsaadmin@am83p:> /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.db.dba.password: ckg2DBtNZLy80TADWcGqdF0NOJygAQ



Note that the database password will be different for each installation of Authentication Manager.


  1. Use the following queries to generate the desired report(s):
    1. To generate a report of all extendable tokens, regardless of token expiration dates

rsaadmin@am83p:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT ipd.loginuid, iis.name, amt.serial_number, amt.token_shutdown_date FROM rsa_rep.ims_principal_data ipd INNER JOIN rsa_rep.ims_identity_source iis ON iis.id = ipd.identity_src_id LEFT JOIN rsa_rep.am_token amt ON amt.principal_id = ipd.id where amt.terminate_date is not null )TO STDOUT WITH CSV HEADER " > /tmp/all_extendableTokens_report.csv
Password for user rsa_dba: <enter the com.rsa.db.dba.password string from above>
 


  1. Use the following query to generate a report of extendable tokens that shutdown before a specific expiration date.  In the example below the sate is 28 February 2021 and can be changed to any date you desire..

rsaadmin@am83p:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT ipd.loginuid, iis.name, amt.serial_number, amt.token_shutdown_date FROM rsa_rep.ims_principal_data ipd INNER JOIN rsa_rep.ims_identity_source iis ON iis.id = ipd.identity_src_id LEFT JOIN rsa_rep.am_token amt ON amt.principal_id = ipd.id where amt.terminate_date is not null AND amt.token_shutdown_date <= '2021-02-28 00:00:00.000') TO STDOUT WITH CSV HEADER " > /tmp/extendableTokens2_report.csv
 


  1. To generate a report of all non-extendable tokens



rsaadmin@am83p:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT ipd.loginuid, iis.name, amt.serial_number, amt.token_shutdown_date FROM rsa_rep.ims_principal_data ipd INNER JOIN rsa_rep.ims_identity_source iis ON iis.id = ipd.identity_src_id LEFT JOIN rsa_rep.am_token amt ON amt.principal_id = ipd.id where amt.terminate_date is null ) TO STDOUT WITH CSV HEADER " > /tmp/non_extendableTokens_report.csv



  1. The reports are saved in /tmp. You can copy the reports using the WinSCP application to your local PC and view them using Excel.
Notes
  • Token extension-lifetime is only available for software tokens distributed on Authentication Manager 8.2 or later.
  • AM-32003 was opened as a request for enhancement (RFE) to add the extendable token option in the default report templates.


 

Attachments

    Outcomes