000030005 - How to get an accurate active user license count in RSA Authentication Manager 8.1 using SQL

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on May 30, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000030005
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
Issue
There can be confusion about the number of users counted against the Authentication Manager active user limit under Setup > License > Status.
 

LicenseStatus
 

RSA sells two things for use with Authentication Manager:
  • Active user license limits through a product license, and
  • Tokens, which can include hardware tokens, software tokens, on-demand authenticators (ODA) and/or and fixed passcodes.
Note the following about tokens and active users:
  • Any user with at least one of the above token authenticators assigned to them counts as one user against the active user limit, as defined in the software license.  This includes expired tokens assigned to any user, including LDAP external identity source users who have been removed or disabled in Active Directory.  Run a clean up job to determine which tokens can be unassigned free up your active user count.
  • A single user with two or more tokens of any type and a fixed passcode only counts as a single active user.
  • A single user with ODA enabled counts as an ODA user and an active user.
Tasks

To access Linux via SSH and then access the PostgreSQL database to run SQL queries


  1. Using the rsaadmin user credentials, log in to command line session via SSH, virtual console or direct connection with KVM.
  2. Navigate to /opt/rsa/am/utils.
  3. Obtain the password for rsa_dba user.  Note the com.rsa.db.dba.password for your deployment will be different than what is shown below:
cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter the Operations Console administrator name>
Please enter OC Administrator password: <enter the Operations Console administrator password>
com.rsa.db.dba.password: eXaMP13Q7dCYPQpeXjHsP7xxwhSpJEK

  1. Navigate to opt/rsa/am/pgsql/bin.
  2. Connect to the Authentication Manager 8.x database, entering the com.rsa.db.dba.password when prompted.
rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@am8-p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter com.rsa.db.dba.password captured above>
psql.bin (9.4.1)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.
db=#
ResolutionFrom the db# prompt, run the following SELECT statement to list all registered users:
SELECT loginuid, authenticator_bit_flags FROM rsa_rep.IMS_PRINCIPAL_DATA ipd WHERE authenticator_bit_flags IS NOT NULL;
loginuid          | authenticator_bit_flags
--------------------------------------------
trustedapp        | 1000000000
@PROXYUSER@       | 100
administrator     | 1001000
toolbartest       | 1010000
tempadmin3        | 1000000
admin             | 1000100
00634180          | 1000010
kellis            | 1000001
j                 | 1001000
00623297          | 1001100
jdmtest           | 0101000
00663317          | 101000
(12 rows)


The authenticator_bit_flags defintions are as follows:
 
ColumnValue
1User registered in the internal database.  Note: True if 7 bits displayed, leading zeros may be dropped
2User registered in the external database.  Note: True if 7 bits displayed, but if leading zeroes are dropped, this will be the first bit with only six bits displayed. If all other bits are zeroes, this user is registered but does not count
3Hardware token 
4Software token or fixed passcode
5Self-Service Console questions answered.  Does not count (e. g., 0100100)
6ODA
7RBA

For example,
  • 1001000 is a user in the internal database with a software token or fixed passcode.
  • 1010000 is a user in the internal database with a hardware token.
  • 1000000 is a user in the internal database without any authenticators assigned, does not count as an active user.
  • 1000100 is a user in the internal database who answered security questions in the Self-Service Console, does not count as an active user.
  • 1000010 is a user in the internal database with on-demand authentication (ODA).
  • 1000001 is a user in the internal database with risk based authentication (RBA).
  • 1001000 is a user in the internal database with a software token or fixed passcode.
  • 0101000 is a user in the external database with a software token or fixed passcode.
  • 101000 is a user in the external database with a software token or fixed passcode, leading 0 dropped.
NotesIf you add the -o switch to the SQL command, you can write output to a file:
./psql -h localhost -p 7050 -d db -U rsa_dba -o /tmp/Activeuser.txt

Once the file is created,
  1. Use WinSCP or FileZilla to copy /tmp/Activeuser.txt to your PC.
  2. Do one of the following:
    1. Use a text editor to replace the pipe (i. e., |) with a comma so that you have comma delimited file then change the file extension to .csv and open it in Excel to manipulate or count users.
OR

  1. Run as one command with -c switch and select statement inside single ticks (i. e., ')
./psql -h localhost -p 7050 -d db -U rsa_dba -c 'select loginuid, authenticator_bit_flags FROM rsa_rep.IMS_PRINCIPAL_DATA ipd where authenticator_bit_flags is not null;' -o /tmp/Activeuser.txt



 

Attachments

    Outcomes