Managing REST Protocol Authentication Agent Credentials

Document created by RSA Information Design and Development Employee on Jul 27, 2020Last modified by RSA Link Admin on Sep 18, 2020
Version 2Show Document
  • View in full screen mode

After you use the RSA SecurID Authentication API to regenerate agent credentials, either in the Security Console or on a command line, you must provide REST protocol authentication agents with the new Access ID and Access Key. To make this process easier and more flexible:

  • You can restore the previous agent credentials, for example, if the new credentials were regenerated by mistake. When you restore the previous credentials, the credentials that you replaced can be used for authentication.
  • After you regenerate or restore the agent credentials, REST Protocol authentication agents can use the previous Access ID and Access Key for 60 days or a timeframe that you specify. This allows authentication to continue until the agents receive the new credentials. If necessary, you can extend the timeframe.
  • You can list the current and previous credentials.
  • System audit logs indicate when authentication agents use the previous credentials.

Note:  If you feel as though the Access ID and Access Key have been compromised, regenerate credentials two times before providing the new credentials to your agents.

Before you begin 

Obtain the rsaadmin operating system password.

Procedure 

  1. Log on to the appliance using an SSH client.
  2. When prompted for the user name and password, enter the operating system User ID, rsaadmin, and the operating system account password.
  3. Change directories:

    cd /opt/rsa/am/utils

  4. To restore the Access ID and Access Key, enter:

    ./rsautil manage-rest-access-credential -a restore

    To regenerate the previous Access ID and Access Key, enter:

    ./rsautil manage-rest-access-credential -a generate

    To list the current and previous Access ID and Access Key, enter:

    ./rsautil manage-rest-access-credential -a list

  5. Restart the services on the primary instance. If there are replica instances, restart the services after replication is complete.
    1. Change directories:

      cd /opt/rsa/am/server

    2. Run the following:

      ./rsaserv restart all

 

 

 

 

 

You are here
Table of Contents > RSA SecurID Authentication API for Authentication Agents > Managing REST Protocol Authentication Agent Credentials

Attachments

    Outcomes