Use this procedure to restore the Super Admin user to a deployment using the Super Admin Restoration utility, restore-admin.
The Super Admin Restoration utility is used to restore access to the deployment in an emergency. By default, the lifetime for the Super Admin account that you create with this utility is 24 hours. The password you specify when creating this Super Admin is not validated by the default password policy. Instead, the password is validated by the initial password policy that is applied during Quick Setup. This initial password policy requires between 8 and 32 characters, at least one alphabetic character, and at least one special character, excluding spaces, @, and ~. RSA recommends as a best practice that you create a password that conforms to the current default password policy when you use this utility.
Although it is possible to enter the Operations Console administrator credentials on the command line along with the other options, this creates a potential security vulnerability. RSA recommends that you enter the password only when the utility presents a prompt.
Before you begin
- You must be familiar with the Linux operating system.
- Do not perform this procedure on a replica instance.
- You must enable SSH through the Operations Console (OC). This provides access to the Operating System (OS) shell command prompt.
- You must have OS login credentials (rsaadmin login ID and password). These credentials allow you to login to the OS and access the OS shell command prompt.
- You must have OC credentials. These are required to execute the restore-admin command.
- Log on to the appliance with the User ID rsaadmin and the current operating system password:
- On a hardware appliance, the Amazon Web Services appliance or the Azure appliance, log on to the appliance using an SSH client.
- On a VMware virtual appliance, log on to the appliance using an SSH client or the VMware vSphere client.
- On a Hyper-V virtual appliance, log on to the appliance using an SSH client, the Hyper-V Virtual Machine Manager Console, or the Hyper-V Manager.
- Change directories to /opt/rsa/am/utils.
./rsautil restore-admin -u newadmin -p adminpassword
- newadmin is the User ID for the new Super Admin.
- adminpassword is the password for the new Super Admin. The password requires between 8 and 32 characters, at least one alphabetic character, and at least one special character, excluding spaces, @, and ~.
and press ENTER.
- When prompted for the Operations Console Administrator username, enter the Operations Console administrator User ID, and press ENTER.
- When prompted, enter the Operations Console administrator password, and press ENTER.
- When prompted with Are you sure you want to continue? (Y/N), type Y, and press ENTER.
After you finish
The Super Admin Restoration utility also resets the Security Console authentication policy to LDAP_Password/RSA Password. In order for this change to take effect, use the Operations Console to flush the cache. For instructions, see Flush the Cache.