000017226 - Error 'object not found' reported when trying to unassign or delete a token

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000017226
Applies ToRSA Authentication Manager 8.1
token administration
IssueError "object not found" reported when trying to unassign or delete a token
obj not found
CausePossible causes; migrated users with replacement tokens that were not used for logon, or Users were in internal database, and were exported with tokens to me imported again with an external Identity source.  It appears that the replacement tokens never quite make it if they have never been used.
Resolution

This issue will be fixed in RSA Authentication Manager 8.1 Patch 1 when it is released.


 


In the meantime here are the steps to update a token allowing for it to be unassigned in the RSA Security Console.


 


Steps:



  

1.


  
  

Logon to the virtual appliance (RSA Authentication Manager 8.1) with the rsaadmin account (where SSH session has been enabled via the RSA Operations Console).


  

 


  

  

2.


  
  

Navigate to the /opt/rsa/am/utils folder


  

 


  

  

3.


  
  

Create a shell script called ?SQL.sh? using an editor (such as vi)


  

 


  

  

4.


  
  

Substitute <OC_Admin_ID> and <OC_Admin_Password> with your correct values into the script shown below:


  

 


  

     

 


     

STRG=`/opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password -u <OC_Admin_ID> -p <OC_Admin_Password>`


     

# echo $STRG


     

PGPASSWORD=`echo $STRG | cut -d' ' -f2` export PGPASSWORD


     

# echo $PGPASSWORD


     

. /opt/rsa/am/utils/rsaenv


     

/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba


     

 


     

  

 


  

..and copy and paste the amended script into the editor on your virtual appliance. Save the new shell script called SQL.sh.


  

 


  

 


  

Uncommenting the echo lines in the script reveals the parameters allowing for troubleshooting (should it be needed).


  

 


  

Example:


  

     

 


     

rsaadmin@am81p:/opt/rsa/am/utils> ./SQL.sh


     

com.rsa.db.dba.password: vDBh1Rb005S7nX9t304v8jy3eHFFGI


     

vDBh1Rb005S7nX9t304v8jy3eHFFGI


     

psql.bin (9.2.4)


     

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)


     

Type "help" for help.


     

 


     

db=#


     

 


     

  

 


  

 


  

  

5.


  
  

Update the permissions on the new shell script using the chmod command e.g. chmod 755 SQL.sh


  

 


  

  

6.


  
  

Run the new shell script SQL.sh to allow for database access..


  

 


  

Example:


  

     

 


     

rsaadmin@am81p:/opt/rsa/am/utils> ./SQL.sh


     

psql.bin (9.2.4)


     

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)


     

Type "help" for help.


     

 


     

db=#


     

 


     

  

 


  

 


  

  

7.


  
  

Now we can run SQL statements to review table information in the authentication manager database..


  

 


  

Substitute <token_serial_number> with the actual serial number of the token (including any leading zeros) e.g. 000233022518


  

 


  

Viewing a single token


  

 


  

select id, serial_number, replacement_mode, replace_token_sn, tokenreplace_updated_date from rsa_rep.am_token where serial_number = '<token_serial_number>';


  

 


  

 


  

Example:


  

     

 


     

rsaadmin@am81p:/opt/rsa/am/utils> ./SQL.sh


     

psql.bin (9.2.4)


     

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)


     

Type "help" for help.


     

 


     

db=# select id, serial_number, replacement_mode, replace_token_sn, tokenreplace_updated_date from rsa_rep.am_token where serial_number = '000233022518';


     

                id                | serial_number | replacement_mode | replace_token_sn | tokenreplace_updated_date


     

----------------------------------+---------------+------------------+------------------+---------------------------


     

7e68e26f271c200a1c3746aa5b14ca94 | 000233022518  |                0 |                  |


     

(1 row)


     

 


     

db=#


     

 


     

  

 


  

Updating a single token


  

 


  

SQL : update rsa_rep.am_token set replacement_mode = 0, replace_token_sn = null, tokenreplace_updated_date = null where serial_number = '<token_serial_number>';


  

 


  

Example:


  

     

 


     

rsaadmin@am81p:/opt/rsa/am/utils> ./SQL.sh


     

psql.bin (9.2.4)


     

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)


     

Type "help" for help.


     

 


     

db=# update rsa_rep.am_token set replacement_mode = 0, replace_token_sn = null, tokenreplace_updated_date = null where serial_number = '000233022518';


     

UPDATE 1


     

db=#


     

 


     

  

 


  

Exiting db=#


  

 


  

Use the ?\q? sequence to return to the command line


  

 


  

Example:


  

     

 


     

db=# \q


     

rsaadmin@am81p:/opt/rsa/am/utils>


     

 


     

  

 


  

 


  

  

8.


  
  

Logon to the RSA Security Console with an administrative account and unassign the token from the user.


  

 


  

RSA Security Console > Authentication > SecurID Tokens > Manage Existing ? search for the token in question using the token serial number (i.e. Serial Number contains <token_serial_number>)


  

 


  

The token will become an unassigned, disabled token in the RSA Security Console in readiness to be assigned to a new user (or back to the same user as before).


  

 


  

NOTE: software tokens need to be distributed after being assigned to a user.


  

 


  

 


 

WorkaroundUsing the Export / Import Tokens and Users option to export the user base, then remove the user data from the internal database and import the user and token information back, mapped to an identity source.
Noteslogin to SSH on Primary
Logon to the RSA AM 8.x Primary local console/SSH session with ‘rsaadmin’ account.
             cd /opt/rsa/am/utils
           ./rsautil manage-secrets -a get com.rsa.db.dba.password
Enter the OCadmin User and Password.  This returns the database password, e.g. com.rsa.db.dba.password: vDBh1Rb005S7nX9t304v8jy3eHFFGI  which you will copy and paste in a command below. 
           cd ../pgsql/bin
          ./psql -h localhost -p 7050 -d db -U rsa_dba
paste in DB Password, e.g. vDBh1Rb005S7nX9t304v8jy3eHFFGI                (highlight DB password and right click to paste)
if successful you will get the  db#  prompt
   db#
db=#
Run Select SQL and update SQL commands on a token serial number from the db# prompt; 
Substitute <token_serial_number> with the actual serial number of the token (including any
leading zeros) e.g. 000233022518.  You can select and paste the whole statement if there are no line feed breaks;
select id, serial_number, replacement_mode, replace_token_sn,tokenreplace_updated_date from rsa_rep.am_token where serial_number ='000116927651';
replacemode
The Select statement will wrap in most SSH sessions, so you only see the end of it, like this
wrap
This is the first part of step 7 in Mostafa’s PDF, Viewing a single token, and it proves you have the correct serial number and the token exists.  The second part is updating a single token.
update rsa_rep.am_token set replacement_mode = 0, replace_token_sn = null, tokenreplace_updated_date = null where serial_number ='000116927651';
update
Now you should be able to go to Security Console and delete or unassign Token with SN 000116927651 or any other token Serial Number.
unassign
 
Legacy Article IDa64536

Attachments

    Outcomes

      Visibility: RSA SecurID Access Knowledge Base295 Views
      Last modified on Apr 21, 2017 10:28 PM
      Tags:
      Ratings: