I just did this per the SDK documentation:
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-readonly-dbusers -a create -o ocadmin -u rouser -i 192.168.20.100
Enter Operations Console (OC) password: ********
Enter password for the read-only database user: ********
Confirm password for the read-only database user: ********
Executing action: 'create'.
Trusted Root SSL CA certificate was copied in file '/opt/rsa/am/utils/RSAAMTrustedRootSSLCA.crt'.
'create' action complete.
rsaadmin@am82p:/opt/rsa/am/utils>
