Change the Timeframe for Using REST Protocol Authentication Agent Credentials

After you use the SecurID Authentication API to regenerate agent credentials, REST Protocol authentication agents can use the previous Access ID and Access Key for up to 60 days or a timeframe that you specify. This allows authentication to continue until the agents receive the new credentials. If necessary, you can extend the timeframe.

Note: If you believe the Access ID and Access Key have been compromised, instead of changing the timeframe, regenerate credentials two times before providing the new credentials to your agents.

Before you begin

Obtain the rsaadmin operating system password.


  1. Log on to the appliance using an SSH client.
  2. When prompted for the user name and password, enter the operating system User ID, rsaadmin, and the operating system account password.
  3. Change directories:

    cd /opt/rsa/am/utils

  4. To change the number of days that REST protocol authentication agents can use the previous agent credentials, enter:

    ./rsautil store -o admin -a update_config auth_manager.rest_service.old_access_retain_days Number GLOBAL 503

    Where Number is the number of days, for example, 90.

  5. Restart the services on the primary instance. If there are replica instances, restart the services after replication is complete.
    1. c. Change directories:
    2. cd /opt/rsa/am/server

    3. Run the following:
    4. ./rsaserv restart all