Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
ThomasRicou
Beginner
Beginner

How to activate an Online Emergency Token Code though API ?

Jump to solution

Hi,

Actually, I managed to do basic tasks with powershell though New-WebServiceProxy. I can assign/unassign tokens to (Active Directory) users making some verifications like making sure nobody gets 2 tokens.

I would like now to permit one of my user to use a temporary Fixed Token code for let's say 2 weeks. I need to allow authentication with the token at any time and then disable online emergency tokencode.

 

First, I don't know the good workflow for this, I mean, do my code choose the code or will the response contain it ? Do I have to create an empty TokenEmergencyAccessDTO, fill it with parameters and then user the update command ? How does the GenerateEmergencyAccessCodeCommand command work ?

I can't find the procedural steps to permit my user to use an emergency token code though the API.

 

Since I already had a command server and a sessionid, I tried :

1. GenerateEmergencyAccessCodeCommand 

$query = New-Object rsaapi.GenerateEmergencyAccessCodeCommand
$query.tokenGuid = $token.id

$CommandServer.executeCommand($loginCommand.sessionId, $query)

 

I get the following error while I can't specify an identity source : com.rsa.command.exception.DataNotFoundException: IdentitySource-Lookup : IdentitySource Guid is not specified

 

2. LookupTokenEmergencyAccessCommand

I could not make it work

 

3. UpdateTokenEmergencyAccessCommand

I could not make it work neither by passing a tokenEmergencyAccesDTO :

algorithm                       : 0
clearUnusedCodes                : False
downloadNewEaTokenCode          : False
eaExpiration                    : 30/09/2018 00:00:00
eaMode                          : 1
eacExpiresOn                    :
emergencyAccessTokenCode        :
emergencyAccessTokenCodeAllowed : True
id                              :
lastEaAuth                      :
lastTFTAuth                     :
lostMode                        : 0
numUnusedCodes                  : 0
offlineAuthAllowed              : False
oneTimeTokencodeSet             :
serialNumber                    : 000505193721
temporaryFixedTokencode         : 852963
tftExpiration                   :
tokenLost                       : False
tokenType                       : 0
validDownloadedData             : False
validOfflineData                : False
validOnlineData                 : False

 

 

Well any help in activating Emergency access code with API would be much appreciated !

Labels (1)
0 Likes
1 Solution

Accepted Solutions

Hi Thomas - I see that you have opened a support case with RSA.  That's probably the route to go as I have too many unanswered questions to efficiently troubleshoot this in the forum.

 

Thanks,

Ted

View solution in original post

7 Replies
TedBarbour
Employee
Employee

Hi Thomas - here is some rough test code (java) around generating emergency code.  Hopefully this will get you headed in the right direction…

 

//Lookup token guid
LookupTokenCommand lookup = new LookupTokenCommand();
lookup.setSerialNumber(sn);
lookup.execute();
TokenDTO token = lookup.getToken();
//set up emergency access
LookupTokenEmergencyAccessCommand lookupEA = new LookupTokenEmergencyAccessCommand();
lookupEA.setGuid(token.getId());
lookupEA.execute();
TokenEmergencyAccessDTO eac = lookupEA.getTokenEmergencyAccess();
eac.setTokenLost(true);
eac.setLostMode(TokenDTO.DISABLE_EA_ON_AUTH);
eac.setEaMode(1); //fixed tokencode
eac.setEaExpiration(new Date(109,8,16)); //September 16, 2009
//generate and set code 
GenerateEmergencyAccessCodeCommand genEAC = new GenerateEmergencyAccessCodeCommand();
genEAC.setTokenGuid(token.getId());
genEAC.execute();
String code = genEAC.getEmergencyAccessCode();
eac.setTemporaryFixedTokencode(code);
System.out.println("EAC for "+ sn + "is: "+ code); //display the EA tokencode
//apply the EA settings - equivalent to the "Save" button on the SC GUI
UpdateTokenEmergencyAccessCommand updateEA = new UpdateTokenEmergencyAccessCommand(eac);
updateEA.execute();

0 Likes

Hi Ted,

 

I just ran into the process you described (thanks a lot for it) but when I use the LookupTokenEmergencyAccess Command, I get the following error : com.rsa.command.exception.DataNotFoundException: IdentitySource-Lookup : IdentitySource Guid is not specified

 

Would you have any clue about this ?

 

Thanks.

0 Likes

Same with GenerateEmergencyAccessCodeCommand

0 Likes

Please see the AdminAPIDemos example code in the SDK for example of obtaining an identity source identifier:

 

public AdminAPIDemos() throws Exception {

        SearchRealmsCommand searchRealmCmd = new SearchRealmsCommand();

        searchRealmCmd.setFilter(Filter.equal(RealmDTO.NAME_ATTRIBUTE, "SystemDomain"));

        searchRealmCmd.execute();

        RealmDTO[] realms = searchRealmCmd.getRealms();

        if (realms.length == 0) {

            throw new Exception("ERROR: Could not find realm SystemDomain");

        }

        domain = realms[0].getTopLevelSecurityDomain();

        idSource = realms[0].getIdentitySources()[0];

Beyond that we would need to see your code and the stack trace/error being thrown to try to help further.

 

Ted

0 Likes

Actually I don't have any trouble getting the idSource when needed but here, I get the error on a function that doesn't ask for the idSource.

You can copy/paste this code into connect_rsaapi.ps1 (it complies with my company's coding rules) :

function rsa_set_globals(
    [string]$rsa_server = "<your RSA AM server>",
    [string]$admin_login = '<your login>',
    [SecureString]$admin_password, # can be passed through : $admin_password = read-host -AsSecureString
    [string]$api_login = "CmdClient_********",
    [string]$api_password = "******************************"
) {
    write-host "Récup WSDL et creation namespace rsaapi" -ForegroundColor DarkCyan
    $secpass=ConvertTo-SecureString $api_password -AsPlainText -Force
    $cred=New-Object System.Management.Automation.PSCredential($api_login, $secpass)
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    $securIDWebWervice = New-WebServiceProxy -Uri "https://${rsa_server}:7002/ims-ws/services/CommandServer?wsdl" -Namespace rsaapi -Credential $cred

 


    write-host "Créer le server de commandes" -ForegroundColor DarkCyan
    $Global:CommandServer = New-Object rsaapi.CommandServerService
    $Global:CommandServer.Credentials=$cred
    $Global:CommandServer.Url="https://${rsa_server}:7002/ims-ws/services/CommandServer"

 


    write-host "Mise en forme des identifiants de $admin_login" -ForegroundColor DarkCyan
    $userNameParam=New-Object rsaapi.FieldParameterDTO
    $userNameParam.promptKey="AUTHENTICATIONSERVICE_PRINCIPALID"
    $userNameParam.value = $admin_login

 

    $userPasswordParam=New-Object rsaapi.FieldParameterDTO
    $userPasswordParam.promptKey = "PASSWORD_CREDENTIAL"
    $userPasswordParam.value = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($admin_password))

 

    [rsaapi.AbstractParameterDTO[]]$paramsArray=@($userNameParam,$userPasswordParam)

 


    write-host "Connexion de $admin_login" -ForegroundColor DarkCyan
    $Global:loginCommand = New-Object rsaapi.LoginCommand
    $Global:loginCommand.authenticationMethodId="LDAP_Password"
    $Global:loginCommand.parameters=$paramsArray
    $Global:loginCommand=$Global:CommandServer.executeCommand([System.Management.Automation.Language.NullString]::Value , $loginCommand)

 

    if (! $loginCommand.authenticationState.Equals("authenticated")) {
        write-host "Login et/ou mot de passe incorrects" -ForegroundColor Red
        throw "Login et/ou mot de passe incorrects"
    }
}       

 

function rsa_get_idsource (
    [string]$nom = "<Your Id source Name (Active directory domain for me)>"
) {
    $query = New-Object rsaapi.GetIdentitySourcesCommand
    $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    return ($result.identitySources | where {$_.name -like $nom})
}

 

function rsa_get_user(
    [Parameter(Mandatory=$True)][string]$login,
    [int]$min = 1,
    [int]$max = 1,
    [int]$search_limit = 5000 # I used the dirty way here...I know...
) {    
    $query = New-Object rsaapi.SearchPrincipalsCommand
    $query.identitySourceGuid = (rsa_get_idsource).guid
    $query.limit = $search_limit # I used the dirty way here...I know...
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de retrouver l'utilisateur $Login :" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    
    $principals = $result.principals | where {$_.userID -like $login}
    
    if ($principals.count -lt $min) {
        Write-Host "On n'a pas trouvé assez d'utilisateurs avec" $login ":" $principals.count "au lieu de minimum" $min -ForegroundColor Red
        throw "Pas assez d'utilisateurs trouvés"
    } elseif ($principals.count -gt $max) {
        Write-Host "On a trouvé trop d'utilisateurs avec" $login ":" $principals.count "au lieu de maximum" $max -ForegroundColor Red
        throw "Trop d'utilisateurs trouvés"
    }
    return $principals
}

 

function rsa_get_token (
    [Parameter(Mandatory=$True)][long]$serialNumber
) {
    $query = New-Object rsaapi.LookupTokenCommand
    $query.serialNumber = "{0:D12}" -f $serialNumber
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de trouver le token $Token_number :" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    return $result.token
}

 

function rsa_link_token_to_user (
    [Parameter(Mandatory=$True)][rsaapi.PrincipalDTO]$user,
    [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token
) {
    $query = New-Object rsaapi.LinkTokensWithPrincipalCommand
    $query.principalGuid = $user.guid
    $query.tokenGuids    = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de d'associer le token" $Token.serialNumber "à" $User.userID ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
}

 

function rsa_get_user_tokens (
    [Parameter(Mandatory=$True)][rsaapi.PrincipalDTO]$user
) {
    $query = New-Object rsaapi.ListTokensByPrincipalCommand
    $query.principalId = $user.guid
    $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    return $result.tokenDTOs
}

 

function rsa_unassign_token (
    [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token
) {
    $query = New-Object rsaapi.UnlinkTokensFromPrincipalsCommand
    $query.tokenGuids = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de libérer le token" $Token.serialNumber "associé à '" $token.assignedUserId "' :" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
}

 


Add-Type -TypeDefinition @"
   public enum EA_mode
   {
      DISABLE_EA_ON_AUTH=1,
      DISABLE_EA_ON_EXPIRE=2,
      DISABLE_EA_NEVER=3
   }
"@

 

function rsa_emergency_code (
    [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token,
    [Parameter(Mandatory=$True)][EA_mode]$mode,
    [Parameter(Mandatory=$True)][DateTime]$expiration
) {
    # Générer un code
    $query = New-Object rsaapi.GenerateEmergencyAccessCodeCommand
    $query.tokenGuid = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de générer un code d'accès pour le token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    $code = $result.emergencyAccessCode # the try clause has never wroked so I'm not sure this is the correct property name

 

    # Récupérer l'emergency access du token
    $query = New-Object rsaapi.LookupTokenEmergencyAccessCommand
    $query.Guid = $token.id
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de trouver l'accès d'urgence du token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
    $tokenEA = $result.tokenEmergencyAccess # the try clause has never wroked so I'm not sure this is the correct property name

 

    # Envoyer le code générer pour l'emergency access du token
    $tokenEA.tokenLost = $true
    $tokenEA.lostMode = [int]$mode
    $tokenEA.eaMode = 1 # Fixed token code
    $tokenEA.eaExpiration = Get-Date $a -Format 'MM/dd/yyyy'
    $tokenEA.temporaryFixedTokencode = $code
    $query = New-Object rsaapi.UpdateTokenEmergencyAccessCommand
    $query.tokenEmergencyAccessDTO = $tokenEA
    try {
        $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
    } catch {
        Write-host "Impossible de pousser le code" $code "pour le token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
        throw $Error[0]
    }
}

 

 

 

 

Then, you can run in a powerhsell console :


$Token_number = '12345678' # of an attributed token, of course
$days = 7 # days to enable EA code, starting today
$admin_login = $env:USERNAME # or login of the adminitrator connectong to the AM
$admin_password = read-host -AsSecureString  # password of this token administrator

 

 

$ErrorActionPreference = "Stop"

#Chargement modules
Write-Host "Chargement console RSA" -ForegroundColor Cyan
. connect_rsaapi.ps1
rsa_set_globals -admin_login $admin_login -admin_password $admin_password

$token = rsa_get_token -serialNumber $Token_number

rsa_emergency_code -token $token -mode DISABLE_EA_ON_AUTH -expiration (Get-Date).AddDays($jours)

0 Likes

If you run parts of my rsa_emergency_code function, then you will see that the GenerateEmergencyAccessCodeCommand and LookupTokenEmergencyAccessCommand does not contain an identitySourceGuid property (New-Object rsaapi.LookupTokenEmergencyAccessCommand | gm) unlike the "New-Object rsaapi.SearchPrincipalsCommand | gm" does.

0 Likes

Hi Thomas - I see that you have opened a support case with RSA.  That's probably the route to go as I have too many unanswered questions to efficiently troubleshoot this in the forum.

 

Thanks,

Ted