After you use the RSA SecurID Authentication API to regenerate agent credentials, either in the Security Console or on a command line, you must provide REST protocol authentication agents with the new Access ID and Access Key. To make this process easier and more flexible:
You can restore the previous agent credentials, for example, if the new credentials were regenerated by mistake. When you restore the previous credentials, the credentials that you replaced can be used for authentication.
After you regenerate or restore the agent credentials, REST Protocol authentication agents can use the previous Access ID and Access Key for 60 days or a timeframe that you specify. This allows authentication to continue until the agents receive the new credentials. If necessary, you can extend the timeframe.
You can list the current and previous credentials.
System audit logs indicate when authentication agents use the previous credentials.
Note:If you feel as though the Access ID and Access Key have been compromised, regenerate credentials two times before providing the new credentials to your agents.
Before you begin
Obtain the rsaadmin operating system password.
Log on to the appliance using an SSH client.
When prompted for the user name and password, enter the operating system User ID, rsaadmin, and the operating system account password.
To restore the Access ID and Access Key, enter:
./rsautil manage-rest-access-credential -a restore
To regenerate the previous Access ID and Access Key, enter:
./rsautil manage-rest-access-credential -a generate
To list the current and previous Access ID and Access Key, enter:
./rsautil manage-rest-access-credential -a list
Restart the services on the primary instance. If there are replica instances, restart the services after replication is complete.