000034865 - Deleting expired SecurID software tokens in the RSA Authentication Manager 8.x Security Console fails

Document created by RSA Customer Support Employee on Mar 1, 2017Last modified by RSA Customer Support Employee on Jul 28, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034865
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1
IssueThe Authentication Manager Security Console displays the following message when deleting an expired software token.

Either another administrator deleted one or more of the selected objects, or you attempted to delete objects from more than one identity source at the same time.
CauseThe RSA SecurID software tokens were distributed to end users using Dynamic Seed Provisioning (CT-KIP) and there is outstanding data in the rsa_rep.am_ctkip_authcode table found in the Authentication Manager database for the software tokens that need to be deleted.
ResolutionBefore using this resolution take a backup of the Authentication Manager database.
  1. From the Operations Console, select Maintenance > Backup and Restore > Back Up Now
  2. Leave the default backup name or change it.
  3. Enter and confirm a Backup Password.  Be sure to store this password in a secure location.  If this password is lost, the backup cannot be restored.
  4. Select a Backup Location and click Backup.
  5. When the backup is complete, click Done.


Generate a token report


An administrator can generate a report on the contents of the rsa_rep.am_ctkip_authcode table found in the Authentication Manager database.
  1. Logon to the primary Authentication Manager server either with an SSH session or at the local console with the rsaadmin operating system account.
  2. Navigate to /opt/rsa/am/utils.
  3. Retrieve the password for the rsa_dba user using the following command.  Your password will be different:
    ./rsautil manage-secrets -a get com.rsa.db.dba.password
    Please enter OC Administrator username: <enter Operations Console administrator ID>
    Please enter OC Administrator password: <enter Operations Console administrator password>
    com.rsa.db.dba.password: ckg2DBtNZLy80TADWcGqdF0NOJygAQ

  4. Generate a report using this command (Note that the command should be entered on one line):
    /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY 
    ( SELECT * FROM rsa_rep.am_ctkip_authcode ) TO STDOUT WITH CSV HEADER" > /tmp/report_data.csv

    Password for user rsa_dba: <enter com.rsa.db.dba.password captured above>

  5. Use a secure FTP client, such as WinSCP, to copy the report_data.csv file onto a Windows platform so it can be reviewed in another application (e. g., Microsoft Excel).
  6. Use the report to confirm the listed token serial numbers are the tokens generating the message seen in the Security Console. Where there is a match between the token serial numbers listed in the report and the tokens generating the message in the Security Console, an administrator can remove the data for those tokens found in the rsa_rep.am_ctkip_authcode table with a SQL statement.
 

Removing token data


  1. Repeat steps 1 - 3 above if disconnected from the SSH session.  
  2. Navigate to /opt/rsa/am/utils.
  3. Enter the Authentication Manager database using the command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter com.rsa.db.dba.password captured above>

  1. Enter the following SQL statement to delete a token, where the token_serial_number is replaced by the exact token serial number:
DELETE FROM rsa_rep.am_ctkip_authcode WHERE token_serial_num = '<token_serial_number>';

  1. An administrator can now use the Security Console to delete the software token.


Deleting a large number of tokens


Where there are a large number of tokens to delete, the following task can be performed.
  1. Repeat steps 1 - 3 above if disconnected from the SSH session.  
  2. Navigate to /opt/rsa/am/utils.
  3. Enter the Authentication Manager database using the command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter com.rsa.db.dba.password captured above>

  1. Enter the following SQL statement to preserve the rsa_rep.am_ctkip_authcode table data: 
CREATE TABLE rsa_rep.am_ctkip_authcode_old AS (SELECT * FROM rsa_rep.am_ctkip_authcode);

  1. Remove all of the data in the rsa_rep.am_ctkip_authcode table with this SQL statement: 
DELETE FROM rsa_rep.am_ctkip_authcode;

  1. Login to the Security Console and delete the software tokens. 

Attachments

    Outcomes