000026751 - How to recover when RSA Authentication Manager 8.x system passwords are not known or are lost

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Aug 16, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026751
Applies ToRSA Product Set: SecurID
RSA Product/ Service Type: Authentication Manager
RSA Version/Condition: 8.0, 8.1, 8.2
IssueThis articles provides steps to recover when system passwords are not known or are lost for RSA Authentication Manager 8.0, 8.1 and 8.2.
ResolutionAuthentication Manager 8.x uses multiple passwords for different functions, losing some passwords has a more critical effect than others.
The most common passwords used are below.
  • Quick Setup Access Code.  This is generated by the Authentication Manager appliance during the initial deployment and displayed on the operating system console screen. It is required to perform the Quick Setup process. If it has been lost before Quick Setup has been run, restart the appliance to show the code on the operating system console screen. This can be with vSphere or Hypervisior with the virtual appliance, or with a directly-connected keyboard and monitor with the hardware appliance. You may need to use the <backspace> key to get past the screensaver.  Once Quick Setup has been run, the Quick Setup Access Code is no longer displayed, and is no longer needed.  
  • The initial Security Console internal super admin username and password.  There is  no default username andpassword combination for this account, as it is chosen by the admin who does the initial Quick Setup.  If the password for this super admin user is lost, there is no way to find it except by trial and error. Also, if the default password policy settings are used, this password expires every 90 days.

Remediation


  • Another Security Console admin can reset the unknown super admin password.  
  • If the operating system password and Operations Console administrator's username and password are all known, a temporary super admin account can be created.

To create a temporary super admin user


  1. Ensure that SSH access is enabled by logging in to the Operations Console and navigating to Administration > Operating System Access and checking the option to enable SSH on eth0.
  2. Start an SSH session to the Authentication Manager primary.  
  3. Navigate to /opt/rsa/am/utils.
  4. Run the ./rsautil restore-admin -u <temporary admin user name> -p <temporary admin password> CLU to create the temporary admin.  In the example below, the user is named tempadmin and the password is P4ssw0rd1!
  5. When prompted enter the Operations Console administrator's credentials.
  6. Enter y when prompted.
  7. Note that:
  • The temporary administrator's console access expires in 24 hours.
  • Security Console authentication policy is changed to RSA_Password/LDAP_Password.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:
Last login: Fri Dec 16 10:15:55 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil restore-admin -u tempadmin -p P4ssw0rd1!
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
A temporary admin will be created with user ID 'tempadmin'.
Are you sure you want to continue? (Y/N): y
Admin created successfully.
*****************************************************************************
Note
    1) The 'tempadmin's console access will expire on Fri Dec 23 13:18:30 EST 2016.
    2) Console authentication policy is changed to RSA_Password/LDAP_Password. In order to make the policy change effective
       please flush the cache through operations console.
*****************************************************************************
rsaadmin@am81p:/opt/rsa/am/utils>

  1. Now launch the Security Console and login as tempadmin with the password defined in step 4.  WIth access to the Security Console, this temp admin can change the password for another super admin that might have been locked out of the console.

To change an Operations Console administrator's password


A super admin can reset the password for an existing Operations Console administrator or create a new Operations Console administrator through the Security Console.

  1. Log in to the Security Console as a super admin user.
  2. Select Administration > Manage OC Administrators.
  3. From the list, locate the Operations Console administrator who lost their password and click Change Password.
  4. This interface can also be used to create a new Operations Console administrator by clicking on Add New.
 

Initial login if Quick Setup has not been done


Before Quick Setup is complete, the SUSE Linux operating system has an initial login of rsaadmin for the user ID and a default password of rsaadmin.  During the Quick Setup process, the admin is required to choose a new password for the rsaadmin login. If this password is lost, there is no way to find an unknown password, except by trial and error.  Since various database maintenance activities require SSH access that prompt for these credentials, it is imperitive to store them in a secure location.
 

Backup password


Running a backup through the Operations Console, under Maintenance, requires the administrator to enter a password.  The backup file is encrypted using this password. If this password is lost, there is no way to locate the password, except by trial and error.  If the password is not found, the backup will be unusable.  Another backup where the password is known is still usable, and new backups can be created.
 

Diagnostic troubleshooting password


Creating diagnostic troubleshooting files through the Operations Console (Administration > Download Troubleshooting Files) requires the administrator to create a password to encrypt the zip file. If this password is lost, there is no way to recover the password and the troubleshooting files will be unusable.  A new troubleshooting file can be created.
Legacy Article IDa67464

Attachments

    Outcomes