000038141 - The utility manage-readonly-dbusers does not work to subnet in spite of using -n option with RSA Authentication Manager 8.2 SP1 and above

Document created by RSA Customer Support Employee on Jan 17, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038141
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 SP1, 8.3, 8.4 patch 6

When running ./rsautil manage-readonly-dbusers CLU with the -n option, the expected result is that the user is created, and the subnet is allowed to access.  The user is created, but the subnet is not accessible.

CauseFirewall, iptables, does not allow to the subnet specified.  For example:
  1. You created a new database readonly user using the command below. Where -X (debug mode) -a (action - create) -o (OC user) -u (new db username) -i (IP address of client) -n (IP mask of client machine(s)).


rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-readonly-dbusers -X -a create -o ocadmin -u dbreaduser -i -n
Enter Operations Console (OC) password: <enter Operations Console admin password>
Enter password for the read-only database user: <enter read-only database user password>
Confirm password for the read-only database user: <re-enter read-only database user password>
Executing action: 'create'.
Trusted Root SSL CA certificate was copied in file '/opt/rsa/am/utils/RSAAMTrustedRootSSLCA.crt'.
'create' action complete.

  1. Cat the pg_hba.conf file for the name of the read only user:

rsaadmin@am82p:/opt/rsa/am/utils> cat /opt/rsa/am/rsapgdata/pg_hba.conf | grep dbreaduser
hostssl all             dbreaduser           md5

  1. Change to the root user and check iptables for port 7050, using options to list the rules with numeric output:

# rsaadmin@am82p:/opt/rsa/am/utils> sudo su -
rsaadmin's password: <enter operating system password>
am82p:~ # /usr/sbin/iptables -L -n -v | grep 7050
0 0 ACCEPT tcp – * * tcp dpt:7050 
0 0 DROP tcp – * * tcp dpt:7050

  1. Cat iptables for references to port 7050 to confirm changes:

am82p:~ # cat /etc/sysconfig/iptables | grep 7050
-A INPUT -s -p tcp -m tcp --dport 7050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7050 -j DROP

WorkaroundEdit /etc/sysconfig/iptables directly.
  1. Enable Secure Shell on the Appliance
  2. Log On to the Appliance Operating System with SSH
  3. Switch to the root user 

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Thu Jan  2 15:50:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:~> sudo su -
rsaadmin's password: <enter operating system password>

  1. Edit /etc/sysconfig/iptables.  For example, change from /32, as shown:

-A INPUT -s -p tcp -m tcp --dport 7050 -j ACCEPT

to /24:

-A INPUT -s -p tcp -m tcp --dport 7050 -j ACCEPT

  1. Restart the iptables service:

am82p:~ # service iptables restart
Restarting iptables  
NotesYou need to turn setting back to the original if you would like to delete this user.