000038850 - Create a report of online emergency access tokencodes and emergency access tokencode lifetimes for RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on May 28, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038850
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
 
IssueRSA Authentication Manager does not have a report template that includes the following content under Online Emergency Access:
  • Type of emergency access tokencodes:
    • Temporary fixed tokencode, or
    • Set of one time tokencodes
  • Emergency access tokencode lifetime
This article explains how to create such a report using command line.
ResolutionTo create the report:
  1. Enable Secure Shell on the Appliance.
  2. Log On to the Appliance Operating System with SSH.
  3. Launch an SSH client, such as PuTTY.
  4. Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.

During Quick Setup, another username may have been selected. Use that username to log in.



login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am


  1. Connect to the RSA Authentication Manager database and enter credentials for the Operations Console administrator when prompted.
  2. The .com.rsa.db.dba.password is returned. This password is unique to each deployment of RSA Authentication Manager.

rsaadmin@primary:~> cd /opt/rsa/am/utils
rsaadmin@primary:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.db.dba.password: ijMFjf61f2VZMA2JMBmOnJqUSYsXby


  1. Access the database with the com.rsa.db.dba.password captured above:

rsaadmin@primary:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@primary:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password captured in step 6>
psql.bin (9.4.1)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.

db=#


  1. Run the following query to get both the set of one time tokencodes and temporary fixed tokencodes:

db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, amt.emergency_access_mode, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND TOKEN_TEMP_STATUS_EXPIRY_DATE is not null; loginuid | token_temp_status_expiry_date | emergency_access_mode | serial_number
----------+-------------------------------+-----------------------+---------------
iman | 2020-05-26 21:59:00 | 2 | 000116033641 (set of one time tokencodes)
camerica | 2020-05-26 21:59:00 | 1 | 000116033642 (temporary fixed tokencode)
(2 rows)

 


Where,
1 = Temporary fixed tokencode
2 = Set of one time tokencodes


  1. To list the temporary fixed tokencode only:

db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, eac_expires_on, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND amt.EMERGENCY_ACCESS_MODE=1; loginuid | token_temp_status_expiry_date | eac_expires_on | serial_number
----------+-------------------------------+----------------+---------------
camerica | 2020-05-26 21:59:00 | | 000116033642
 (1 row)


  1. To list a set of one time tokencodes only:

db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, eac_expires_on, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND amt.EMERGENCY_ACCESS_MODE=2; loginuid | token_temp_status_expiry_date | eac_expires_on | serial_number
----------+-------------------------------+----------------+---------------
iman | 2020-05-26 21:59:00 | | 000116033641
(1 row)


  1. For a list of previously configured tokens and users (not enabled for Online Emergency Access anymore):

db=# SELECT ipd.loginuid, TOKEN_TEMP_STATUS_EXPIRY_DATE, eac_expires_on, amt.serial_number FROM rsa_rep.ims_principal_data ipd, rsa_rep.am_token amt WHERE ipd.ID= amt.principal_id AND amt.EMERGENCY_ACCESS_MODE=0; loginuid | token_temp_status_expiry_date | eac_expires_on | serial_number
----------+-------------------------------+---------------------+---------------
dstrange | | 2020-06-11 23:59:59 | 000116033640
dstrange | | 2019-09-20 23:59:59 | 000406113859
(2 rows)

Attachments

    Outcomes