000037102 - Generate reports for extendable and nonextendable tokens in RSA Authentication Manager 8.2 or later

Document created by RSA Customer Support Employee on Jan 17, 2019Last modified by RSA Customer Support Employee on Jul 30, 2020
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000037102
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.2 or later
Issue
  • The Extendable category is not available in the default RSA Authentication Manager report templates. The only way to check on this detail from the UI is by opening the token dashboard from the Security Console (Authentication > SecurID Tokens > Manage Existing). In this dashboard, you will see the Extendable column and a green check when a token is extendable.
  • As this report cannot be generated from within the Security Console UI, the following database queries provide a workaround for generating the reports.
Resolution
  1. Launch an SSH client, such as PuTTy.
  2. Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.

During Quick Setup, another username may have been selected. Use that username to log in.



  1. Enter the following command to get the database password:

rsaadmin@am83p:> /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.db.dba.password: ckg2DBtNZLy80TADWcGqdF0NOJygAQ



The database password will be different for each installation of RSA Authentication Manager.


  1. Use the following queries to generate the reports:
    1. To generate a report of all extendable tokens, regardless of token expiration dates

rsaadmin@am83p:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT ipd.loginuid, iis.name, amt.serial_number, amt.token_shutdown_date FROM rsa_rep.ims_principal_data ipd INNER JOIN rsa_rep.ims_identity_source iis ON iis.id = ipd.identity_src_id LEFT JOIN rsa_rep.am_token amt ON amt.principal_id = ipd.id where amt.terminate_date is not null )TO STDOUT WITH CSV HEADER " > /tmp/all_extendableTokens_report.csv
Password for user rsa_dba: <enter the com.rsa.db.dba.password string from above>
 


  1. Use the following query to generate a report of extendable tokens that shut down before a specific expiration date. In the example below, the date is 28 February 2021 and can be changed to any date.

rsaadmin@am83p:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT ipd.loginuid, iis.name, amt.serial_number, amt.token_shutdown_date FROM rsa_rep.ims_principal_data ipd INNER JOIN rsa_rep.ims_identity_source iis ON iis.id = ipd.identity_src_id LEFT JOIN rsa_rep.am_token amt ON amt.principal_id = ipd.id where amt.terminate_date is not null AND amt.token_shutdown_date <= '2021-02-28 00:00:00.000') TO STDOUT WITH CSV HEADER " > /tmp/extendableTokens2_report.csv
 


  1. To generate a report of all nonextendable tokens



rsaadmin@am83p:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT ipd.loginuid, iis.name, amt.serial_number, amt.token_shutdown_date FROM rsa_rep.ims_principal_data ipd INNER JOIN rsa_rep.ims_identity_source iis ON iis.id = ipd.identity_src_id LEFT JOIN rsa_rep.am_token amt ON amt.principal_id = ipd.id where amt.terminate_date is null ) TO STDOUT WITH CSV HEADER " > /tmp/non_extendableTokens_report.csv



  1. The reports are saved in /tmp. You can copy the reports using the WinSCP application to your local PC and view them using Excel.
Notes
  • Token extension-lifetime is only available for software tokens that are distributed on RSA Authentication Manager 8.2 or later.
  • AM-32003 was opened as a request for enhancement (RFE) to add the extendable token option in the default report templates.


 

Attachments

    Outcomes