This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
ThomasRicou
Beginner
Beginner
‎2018-09-28 12:55 PM

How to activate an Online Emergency Token Code though API ?

Jump to solution

Hi,

Actually, I managed to do basic tasks with powershell though New-WebServiceProxy. I can assign/unassign tokens to (Active Directory) users making some verifications like making sure nobody gets 2 tokens.

I would like now to permit one of my user to use a temporary Fixed Token code for let's say 2 weeks. I need to allow authentication with the token at any time and then disable online emergency tokencode.

 

First, I don't know the good workflow for this, I mean, do my code choose the code or will the response contain it ? Do I have to create an empty TokenEmergencyAccessDTO, fill it with parameters and then user the update command ? How does the GenerateEmergencyAccessCodeCommand command work ?

I can't find the procedural steps to permit my user to use an emergency token code though the API.

 

Since I already had a command server and a sessionid, I tried :

1. GenerateEmergencyAccessCodeCommand 

$query = New-Object rsaapi.GenerateEmergencyAccessCodeCommand
$query.tokenGuid = $token.id

$CommandServer.executeCommand($loginCommand.sessionId, $query)

 

I get the following error while I can't specify an identity source : com.rsa.command.exception.DataNotFoundException: IdentitySource-Lookup : IdentitySource Guid is not specified

 

2. LookupTokenEmergencyAccessCommand

I could not make it work

 

3. UpdateTokenEmergencyAccessCommand

I could not make it work neither by passing a tokenEmergencyAccesDTO :

algorithm                       : 0
clearUnusedCodes                : False
downloadNewEaTokenCode          : False
eaExpiration                    : 30/09/2018 00:00:00
eaMode                          : 1
eacExpiresOn                    :
emergencyAccessTokenCode        :
emergencyAccessTokenCodeAllowed : True
id                              :
lastEaAuth                      :
lastTFTAuth                     :
lostMode                        : 0
numUnusedCodes                  : 0
offlineAuthAllowed              : False
oneTimeTokencodeSet             :
serialNumber                    : 000505193721
temporaryFixedTokencode         : 852963
tftExpiration                   :
tokenLost                       : False
tokenType                       : 0
validDownloadedData             : False
validOfflineData                : False
validOnlineData                 : False

 

 

Well any help in activating Emergency access code with API would be much appreciated !

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
TedBarbour
Employee
Employee
In response to ThomasRicou
‎2018-10-02 10:01 AM

Jump to solution

Hi Thomas - I see that you have opened a support case with RSA.  That's probably the route to go as I have too many unanswered questions to efficiently troubleshoot this in the forum.

 

Thanks,

Ted

View solution in original post

Reply
7 Replies
TedBarbour
Employee
Employee
‎2018-09-28 01:59 PM

Jump to solution

Hi Thomas - here is some rough test code (java) around generating emergency code.  Hopefully this will get you headed in the right direction…

 

//Lookup token guid
LookupTokenCommand lookup = new LookupTokenCommand();
lookup.setSerialNumber(sn);
lookup.execute();
TokenDTO token = lookup.getToken();
//set up emergency access
LookupTokenEmergencyAccessCommand lookupEA = new LookupTokenEmergencyAccessCommand();
lookupEA.setGuid(token.getId());
lookupEA.execute();
TokenEmergencyAccessDTO eac = lookupEA.getTokenEmergencyAccess();
eac.setTokenLost(true);
eac.setLostMode(TokenDTO.DISABLE_EA_ON_AUTH);
eac.setEaMode(1); //fixed tokencode
eac.setEaExpiration(new Date(109,8,16)); //September 16, 2009
//generate and set code 
GenerateEmergencyAccessCodeCommand genEAC = new GenerateEmergencyAccessCodeCommand();
genEAC.setTokenGuid(token.getId());
genEAC.execute();
String code = genEAC.getEmergencyAccessCode();
eac.setTemporaryFixedTokencode(code);
System.out.println("EAC for "+ sn + "is: "+ code); //display the EA tokencode
//apply the EA settings - equivalent to the "Save" button on the SC GUI
UpdateTokenEmergencyAccessCommand updateEA = new UpdateTokenEmergencyAccessCommand(eac);
updateEA.execute();

0 Likes
Reply
ThomasRicou
Beginner
Beginner
In response to TedBarbour
‎2018-10-01 05:19 AM

Jump to solution

Hi Ted,

 

I just ran into the process you described (thanks a lot for it) but when I use the LookupTokenEmergencyAccess Command, I get the following error : com.rsa.command.exception.DataNotFoundException: IdentitySource-Lookup : IdentitySource Guid is not specified

 

Would you have any clue about this ?

 

Thanks.

0 Likes
Reply
ThomasRicou
Beginner
Beginner
In response to ThomasRicou
‎2018-10-01 06:51 AM

Jump to solution

Same with GenerateEmergencyAccessCodeCommand

0 Likes
Reply
TedBarbour
Employee
Employee
In response to ThomasRicou
‎2018-10-01 11:45 AM

Jump to solution

Please see the AdminAPIDemos example code in the SDK for example of obtaining an identity source identifier:

 

…

public AdminAPIDemos() throws Exception {

        SearchRealmsCommand searchRealmCmd = new SearchRealmsCommand();

        searchRealmCmd.setFilter(Filter.equal(RealmDTO.NAME_ATTRIBUTE, "SystemDomain"));

        searchRealmCmd.execute();

        RealmDTO[] realms = searchRealmCmd.getRealms();

        if (realms.length == 0) {

            throw new Exception("ERROR: Could not find realm SystemDomain");

        }

        domain = realms[0].getTopLevelSecurityDomain();

        idSource = realms[0].getIdentitySources()[0];

…

Beyond that we would need to see your code and the stack trace/error being thrown to try to help further.

 

Ted

0 Likes
Reply
ThomasRicou
Beginner
Beginner
In response to TedBarbour
‎2018-10-01 12:14 PM

Jump to solution

Actually I don't have any trouble getting the idSource when needed but here, I get the error on a function that doesn't ask for the idSource.

You can copy/paste this code into connect_rsaapi.ps1 (it complies with my company's coding rules) :

function rsa_set_globals(
    [string]$rsa_server = "<your RSA AM server>",
    [string]$admin_login = '<your login>',
    [SecureString]$admin_password, # can be passed through : $admin_password = read-host -AsSecureString
    [string]$api_login = "CmdClient_********",
    [string]$api_password = "******************************"
) {
    write-host "Récup WSDL et creation namespace rsaapi" -ForegroundColor DarkCyan
    $secpass=ConvertTo-SecureString $api_password -AsPlainText -Force
    $cred=New-Object System.Management.Automation.PSCredential($api_login, $secpass)
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    $securIDWebWervice = New-WebServiceProxy -Uri "https://${rsa_server}:7002/ims-ws/services/CommandServer?wsdl" -Namespace rsaapi -Credential $cred

 


    write-host "Créer le server de commandes" -ForegroundColor DarkCyan
    $Global:CommandServer = New-Object rsaapi.CommandServerService
    $Global:CommandServer.Credentials=$cred
    $Global:CommandServer.Url="https://${rsa_server}:7002/ims-ws/services/CommandServer"

 


    write-host "Mise en forme des identifiants de $admin_login" -ForegroundColor DarkCyan
    $userNameParam=New-Object rsaapi.FieldParameterDTO
    $userNameParam.promptKey="AUTHENTICATIONSERVICE_PRINCIPALID"
    $userNameParam.value = $admin_login

 

    $userPasswordParam=New-Object rsaapi.FieldParameterDTO
    $userPasswordParam.promptKey = "PASSWORD_CREDENTIAL"
    $userPasswordParam.value = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($admin_password))

 

    [rsaapi.AbstractParameterDTO[]]$paramsArray=@($userNameParam,$userPasswordParam)

 


    write-host "Connexion de $admin_login" -ForegroundColor DarkCyan
    $Global:loginCommand = New-Object rsaapi.LoginCommand
    $Global:loginCommand.authenticationMethodId="LDAP_Password"
    $Global:loginCommand.parameters=$paramsArray
    $Global:loginCommand=$Global:CommandServer.executeCommand([System.Management.Automation.Language.NullString]::Value , $loginCommand)

 

    if (! $loginCommand.authenticationState.Equals("authenticated")) {
        write-host "Login et/ou mot de passe incorrects" -ForegroundColor Red
        throw "Login et/ou mot de passe incorrects"
    }
}       

 

function rsa_get_idsource (
    [string]$nom = "<Your Id source Name (Active directory domain for me)>"
) {
    $query = New-Object rsaapi.GetIdentitySourcesCommand
    $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    return ($result.identitySources | where {$_.name -like $nom})
}

 

function rsa_get_user(
    [Parameter(Mandatory=$True)][string]$login,
    [int]$min = 1,
    [int]$max = 1,
    [int]$search_limit = 5000 # I used the dirty way here...I know...
) {    
    $query = New-Object rsaapi.SearchPrincipalsCommand
    $query.identitySourceGuid = (rsa_get_idsource).guid
    $query.limit = $search_limit # I used the dirty way here...I know...
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de retrouver l'utilisateur $Login :" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    
    $principals = $result.principals | where {$_.userID -like $login}
    
    if ($principals.count -lt $min) {
        Write-Host "On n'a pas trouvé assez d'utilisateurs avec" $login ":" $principals.count "au lieu de minimum" $min -ForegroundColor Red
        throw "Pas assez d'utilisateurs trouvés"
    } elseif ($principals.count -gt $max) {
        Write-Host "On a trouvé trop d'utilisateurs avec" $login ":" $principals.count "au lieu de maximum" $max -ForegroundColor Red
        throw "Trop d'utilisateurs trouvés"
    }
    return $principals
}

 

function rsa_get_token (
    [Parameter(Mandatory=$True)][long]$serialNumber
) {
    $query = New-Object rsaapi.LookupTokenCommand
    $query.serialNumber = "{0:D12}" -f $serialNumber
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de trouver le token $Token_number :" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    return $result.token
}

 

function rsa_link_token_to_user (
    [Parameter(Mandatory=$True)][rsaapi.PrincipalDTO]$user,
    [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token
) {
    $query = New-Object rsaapi.LinkTokensWithPrincipalCommand
    $query.principalGuid = $user.guid
    $query.tokenGuids    = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de d'associer le token" $Token.serialNumber "à" $User.userID ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
}

 

function rsa_get_user_tokens (
    [Parameter(Mandatory=$True)][rsaapi.PrincipalDTO]$user
) {
    $query = New-Object rsaapi.ListTokensByPrincipalCommand
    $query.principalId = $user.guid
    $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    return $result.tokenDTOs
}

 

function rsa_unassign_token (
    [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token
) {
    $query = New-Object rsaapi.UnlinkTokensFromPrincipalsCommand
    $query.tokenGuids = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de libérer le token" $Token.serialNumber "associé à '" $token.assignedUserId "' :" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
}

 


Add-Type -TypeDefinition @"
   public enum EA_mode
   {
      DISABLE_EA_ON_AUTH=1,
      DISABLE_EA_ON_EXPIRE=2,
      DISABLE_EA_NEVER=3
   }
"@

 

function rsa_emergency_code (
    [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token,
    [Parameter(Mandatory=$True)][EA_mode]$mode,
    [Parameter(Mandatory=$True)][DateTime]$expiration
) {
    # Générer un code
    $query = New-Object rsaapi.GenerateEmergencyAccessCodeCommand
    $query.tokenGuid = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de générer un code d'accès pour le token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    $code = $result.emergencyAccessCode # the try clause has never wroked so I'm not sure this is the correct property name

 

    # Récupérer l'emergency access du token
    $query = New-Object rsaapi.LookupTokenEmergencyAccessCommand
    $query.Guid = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de trouver l'accès d'urgence du token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    $tokenEA = $result.tokenEmergencyAccess # the try clause has never wroked so I'm not sure this is the correct property name

 

    # Envoyer le code générer pour l'emergency access du token
    $tokenEA.tokenLost = $true
    $tokenEA.lostMode = [int]$mode
    $tokenEA.eaMode = 1 # Fixed token code
    $tokenEA.eaExpiration = Get-Date $a -Format 'MM/dd/yyyy'
    $tokenEA.temporaryFixedTokencode = $code
    $query = New-Object rsaapi.UpdateTokenEmergencyAccessCommand
    $query.tokenEmergencyAccessDTO = $tokenEA
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de pousser le code" $code "pour le token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
}

 

 

 

 

Then, you can run in a powerhsell console :


$Token_number = '12345678' # of an attributed token, of course
$days = 7 # days to enable EA code, starting today
$admin_login = $env:USERNAME # or login of the adminitrator connectong to the AM
$admin_password = read-host -AsSecureString  # password of this token administrator

 

 

$ErrorActionPreference = "Stop"

#Chargement modules
Write-Host "Chargement console RSA" -ForegroundColor Cyan
. connect_rsaapi.ps1
rsa_set_globals -admin_login $admin_login -admin_password $admin_password

$token = rsa_get_token -serialNumber $Token_number

rsa_emergency_code -token $token -mode DISABLE_EA_ON_AUTH -expiration (Get-Date).AddDays($jours)

0 Likes
Reply
ThomasRicou
Beginner
Beginner
In response to TedBarbour
‎2018-10-01 12:19 PM

Jump to solution

If you run parts of my rsa_emergency_code function, then you will see that the GenerateEmergencyAccessCodeCommand and LookupTokenEmergencyAccessCommand does not contain an identitySourceGuid property (New-Object rsaapi.LookupTokenEmergencyAccessCommand | gm) unlike the "New-Object rsaapi.SearchPrincipalsCommand | gm" does.

0 Likes
Reply
TedBarbour
Employee
Employee
In response to ThomasRicou
‎2018-10-02 10:01 AM

Jump to solution

Hi Thomas - I see that you have opened a support case with RSA.  That's probably the route to go as I have too many unanswered questions to efficiently troubleshoot this in the forum.

 

Thanks,

Ted

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.