This article explains how to set the RSA Authentication Manager internal database password to be optional.
When adding a user to the internal database, the following warning displays:
The indicated field(s) on this page require your attention.
"Password" is required.
"Confirm Password" is required.
It is required for users in the internal database to have an RSA password.
The Identity Management System used in RSA Authentication Manager has to support users in different data stores (for example, Microsoft Active Directory and SunOne). This means that even though Authentication Manager does not require a password, our optional data stores do.
The RSA password may be used to log in to the Security Console and Self-Service Console by administrators and users respectivel, also if the API is used then the RSA_Password method may be used for login if the RSA_Password has been set.
Since the existence of this value is dependent on whether the user is stored in the internal database or one of the optional data stores the setting to manage this option is configured in the identity store settings in the Operations Console.
Remove the password requirement from the internal database by doing the following:
Log on to the Operations Console and navigate to Deployment Configuration > Identity Sources > Manage Existing.
Click on Internal Database and choose Edit from the list of options.
Select the The user password is optional radio button.
If you have any administrators logged into the Security Console they will need to log out and back in to see the changes.
After making the change when you create a new user in the internal database, the password prompts are replaced by a Manage Password checkbox. If you need the user to have a password just check Enable Password and enter the password as normal. This feature is present to allow you to be able to use the features listed above where the RSA Password may be used.
Be careful to plan properly for this type of operation. Make sure the Security Console and Self-Service Console authentication methods have been configured to allow other credentials and that your users have those credentials.
You will always need to have at least one super admin with an internal password, since at the point where the Operations Console prompts for a username/password of a user with superadmin privilege that this user must be in the internal database.