000028608 - Creating automated test users with a fixed passcode that does not need to be changed on initial logon using RSA Authentication Manager Bulk Admin (AMBA)

Document created by RSA Customer Support Employee on Jul 11, 2019Last modified by RSA Customer Support Employee on Jul 15, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000028608
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
 
IssueSetting a fixed passcode via RSA Authentication Manager Bulk Admin (AMBA) with Add User and Password (AUP) leaves the fixed passcode in New PIN Mode, forcing a change of the fixed passcode or password on initial logon.  This is problematic when creating test users for automated testing.

The solution is  adding a second step of setting the password changenot  to be required in a SQLcommnd.  In this way, the first logon does not enter New PIN Mode to change the assigned fixed passcode.  This is extremely useful when creating test accounts in bulk.
CauseRSA Authentication Manager Bulk Admin does not have the ability to set a fixed passcode that is not in New PIN Mode.  This is a security feature designed for real users not test users.  Setting a fixed passcode that is not in New PIN MOde must be dome in SQL.  See Resolution below for steps.

The AMBA command Add User with Password (AUP) has a SetPIN option to set the fixed passcode.  Refer to the page 43 of the RSA Authentication Manager 8.4 Bulk Administration Utility (AMBA) Guide

If you are at a version lower than 8.4, be sure to use the correct guide for your deployment.

Resolution

To make these changes, first access SQL on the Authentication Manager primary, find all the Test UserIDs or logonuid  field in the ims_principal_data table, which will show an internal ID for each UserID, then we look up all the password_change_required field in the am_principal table, which does not have logonuid but does have the id field. 

Then we update the password_change_required to be set to false for the users based on their id field in the am_principal table.

Now join this information to run one command.  Here is a proof of concept:



  1. Connect to the Authentication Manager server with an SSH session, through vSphere or a direct connection.
  2. Login as the rsaadmin user.

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1. Navigate to /opt/rsa/am/utils/.
  2. Run the command rsautil manage-secrets -a get com.rsa.db.dba.password to obtain the com.rsa.db.dba.password.


rsaadmin@am81p:~> cd /opt/rsa/am/utils/
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
com.rsa.db.dba.password: <output of the com.rsa.db.dba.password for your instance>


  1. Connect to the PostgreSQL database and run the script:


rsaadmin@am81p:~> cd /opt/rsa/am/pgsql/bin
rsaadmin@am81p:~> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password in step 4 above>


  1. This places you at the database prompt.  From here run the following commands, noting your values will be different than the ones shown below:


db=# SELECT id, loginuid FROM rsa_rep.ims_principal_data;
                id                |   loginuid
----------------------------------+---------------
TrustedApplicationUserDataID     | trustedapp
3e9cacffdb9110ac0022a0564a9931c1 | @PROXYUSER@
000000000000000000001000d0021000 | admin
607854021e02a8c053a790daf3bfc58a | Administrator
564f4b611e02a8c075e0193ee95d7810 | Affiriplent
26467d1f1e02a8c0414f18165def167a | csalvati
8965d0ff1e02a8c04c915328b53a4019 | test1
ad2f09601e02a8c074652f72ea3ece91 | test2

(8 rows)

db=# SELECT id, password_change_required FROM rsa_rep.am_principal;
                id                | password_change_required
----------------------------------+--------------------------
26467d1f1e02a8c0414f18165def167a | f
607854021e02a8c053a790daf3bfc58a | f
564f4b611e02a8c075e0193ee95d7810 | f
8965d0ff1e02a8c04c915328b53a4019 | t
ad2f09601e02a8c074652f72ea3ece91 | t
(5 rows)

db=# SELECT id, password_change_required FROM rsa_rep.am_principal where id='8965d0ff1e02a8c04c915328b53a4019';
                id                | password_change_required
----------------------------------+--------------------------
8965d0ff1e02a8c04c915328b53a4019 | t
(1 row)

db=# UPDATE am_principal SET password_change_required = 'false' WHERE id='8965d0ff1e02a8c04c915328b53a4019';
UPDATE 1
db=# SELECT id, password_change_required FROM rsa_rep.am_principal where id='8965d0ff1e02a8c04c915328b53a4019';
                id                | password_change_required
----------------------------------+--------------------------
8965d0ff1e02a8c04c915328b53a4019 | f
(1 row)

db=# SELECT id, password_change_required FROM rsa_rep.am_principal where id=' ad2f09601e02a8c074652f72ea3ece91';
                id                | password_change_required
----------------------------------+--------------------------
ad2f09601e02a8c074652f72ea3ece91 | t
(1 row)

db=# UPDATE am_principal SET password_change_required = 'false' WHERE id=' ad2f09601e02a8c074652f72ea3ece91';
UPDATE 1
db=# SELECT id, password_change_required FROM rsa_rep.am_principal WHERE id=' ad2f09601e02a8c074652f72ea3ece91';
                id                | password_change_required
----------------------------------+--------------------------
ad2f09601e02a8c074652f72ea3ece91 | f
(1 row)


NotesThe original article had an Admin API program that created users and fixed passcodes (see the attached original API commands.txt), but it is much easier to use AMBA AUP to do this.
Legacy Article IDa51089

Outcomes