000031020 - How to enable unassigned tokens in bulk for Authentication Manager 8.1 SP1 or later

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000031020
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
IssueWhen tokens are imported into Authentication Manager, they are set to Disabled by default and are enabled automatically when assigned or edited.  However, when users request them through the Self-Service Console with automatic approval (0 steps), the email to the end user requires the user to enable/activate the token.
This can be confusing to end users and can generate Help Desk calls, especially since the steps to Activate the token are listed first in the email but will not work until token is first set to Enabled.  This How To article  provides a work-around this situation.
Tasks

To work around this issue, an Authentication Manager administrator will need to:


  1. Either enable unassigned tokens in bulk through the Security Console; or
  2. Enable all disabled tokens through a SQL update command in the PostgreSQL database.
ResolutionEnable unassigned tokens in bulk through the Security Console
A simple work-around would be enable the tokens in bulk in the Security Console?.  Note that a maximum of 500 unassigned tokens can be selected at a time.
  1. From the Security Console, select AuthenticationSecurID Tokens > Manage Existing.  
  2. Click on the Unassigned tab.
  3. In the Search Criteria options, define the Security Domain and search for All Unassigned Tokens.
  4. When the results come back, place a check next to the tokens you wish to enable.
  5. As in the screen shot below, change the Action box to Enable.
  6. Click Go.
Select 500 Tokens
After clicking Go, the green check is removed from the Disabled column, indicating the token is now enabled for use.  Now the user can successfully request token through Self Service Console.
Enable 500 Tokens 
Enable all disabled tokens through a SQL UPDATE command in the PostgreSQLdatabase
Login to the Authentication Manager primary server via SSH, vSphere or a direct connection as rsaadmin.
Navigate to /opt/rsa/am/utils.
Obtain the database password with the command ./rsautil manage-secrets -a get com.rsa.db.dba.password.
 
login as: rsaadmin
Using keyboard-interactive authentication.
Password:
Last login: Wed Oct  7 16:31:13 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin name>
Please enter OC Administrator password: <enter Operations Console admin name>
com.rsa.db.dba.password: rSKD5bGguLGNL9uGvFWnJoxIcHJah2
rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba:
psql.bin (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
db=# SELECT serial_number,IS_ENABLED FROM am_TOKEN WHERE IS_ENABLED='f';
 serial_number | is_enabled
---------------+------------
 000031701333  | f
 000031701334  | f
 000031701335  | f
.
.
.

The list of token serial numbers displayed here should match the tokens shown as Disabled in the Security Console GUI.
Next, update these tokens to be Enabled by setting the IS_ENABLED value from false to true.
db=# UPDATE rsa_rep.AM_TOKEN set IS_ENABLED='t' WHERE IS_ENABLED='f';
UPDATE 639

Refresh the Security Console and compare the list of tokens with the tokens in the GUI to confirm the token flag was updated successfully and the tokens are now listed as enabled.

Attachments

    Outcomes