How do I reset the master password when it is not known?
RSA Authentication Manager 7.1 RSA SecurID Appliance 3.0 Internal Only. This solution is not officially supported, and should only be used as a last resort. This solution has significant issues, and the customer should be STRONGLY encouraged to locate the correct Master Password, instead of using this solution. This includes such mundane things as verifying they are using a good keyboard.
How do I reset the master password when it is not known? Master password was forgotten or is not known.
IMPORTANT UPDATE: 07/06/2021
Should a customer reach out to RSA support for help with resetting the master password when it is not known, the support scope is to engage Professional services/Senior engineer through their accounts manager.
DO NOT SUPPLY THIS TO CUSTOMERS WITHOUT MANAGEMENT APPROVAL! Management needs to be informed about this situation, and they need to approve supplying this information or the file to customers. If the situation is critical, do highlight the same to your reporting manager for help.
Verify that customer really needs to reset an unknown Master Password, and NOT a SuperAdmin, Operations Console Admin, or Operating System password.
Technical support should refrain from supplying the jar file to customers by any means.
This can be done with a hotfix and new CLU.
1. The customer has applied the latest hotfix rollup or is at SP2 or higher. 2. The reset-masterpwd.jar file has been installed on the primary server. This file must be copied to the %RSAHOME%/utils/lib. (For the Appliance you will need to transfer the file to /tmp as emcsrv then move it as root) For the Appliance and other Non-Windows versions change the file permissions as follows:
Note: SP2 includes a newer version of existing utilities. From the release notes:
To recover the master password, you must create at least one additional RSA Operations Console administrator immediately after installing Authentication Manager. Make sure that this administrator has a password that is different from the master password. All Operations Console administrators can run the manage-secrets CLU to recover the system fingerprint, which is initially encrypted using the master password.
The manage-secrets CLU has five new options:
-u, --user User name for the encrypted properties file.
-p, --password Password of the user for the encrypted properties file.
-N, --new-master-pwd New master password for 'change' action.
-f, --file Password-protected file to import, export, or load.
-F, --force Force an overwrite of the administrator credentials with an imported file.
The manage-backup CLU has two new options:
-u, --user Operations Console administrator user name for the encrypted properties file.
-p, --password Operations Console administrator password for the encrypted properties file.
You can use these options to run the CLU when you cannot access the master password.