This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

CUSD command generates a failure when moving tokens between security domains in RSA Authentication Manager Bulk Administration (AMBA)

Article Number

000036919

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 or later

Issue

An administrator is using the Change User/Token Security Domain (CUSD) command to move tokens from one Security Domain to another Security Domain and it generates an error message in the AMBA output file.

Failure: yyyy-mm-dd hh:mm:ss : Line 2 - changeUserSecurityDomain - User: Unassigned, Token: 000xxxxxx123 NOT moved to Security Domaine: MyNewSecDomain - Reason: failed to find principal

Cause

Tokens being moved between Security domains have left over CT-KIP authcode data referencing a principal that no longer exists in the Authentication Manager database.

Resolution

An administrator can review and remove the CT-KIP authcode data from the rsa_rep.am_ctkip_authcode table within the Authentication Manager database.

Steps to acquire the Authentication Manager database administrator password

  1. Logon to the SecurID Appliance either via SSH where Secure Shell has been enabled or the local console with the rsaadmin account.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
  1. Navigate to the /opt/rsa/am/utils folder using the command:
cd /opt/rsa/am/utils
  1. Retrieve the password for the rsa_dba user using the following command:
./rsautil manage-secrets -a get com.rsa.db.dba.password

NOTE: When prompted, enter the Operations Console administrative account username and password.


Report on CT-KIP authcode data

  1. To generate a report on CT-KIP authcode data use the following command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "COPY ( SELECT a.id, a.token_id, a.principal_id FROM rsa_rep.am_ctkip_authcode a, rsa_rep.am_principal p where a.principal_id=p.id ) TO STDOUT WITH CSV HEADER " > /tmp/report_data.csv
  1. When prompted enter the rsa_dba password obtained in step 3 above.
  2. Review the contents of the /tmp/report_data.csv:
more /tmp/report_data.csv
 

Removing CT-KIP authcode data

  1. To remove the CT-KIP authcode data in the rsa_rep.am_ctkip_authcode table use the folloing command:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -c "delete FROM rsa_rep.am_ctkip_authcode"
  1. When prompted enter the rsa_dba password obtained in step 3 above.
 

NOTE: The distribution of software tokens via dynamic seed provisioning (CT-KIP) will generate new data in the rsa_rep.am_ctkip_authcode table.

Notes

For more information on the Change User/Token Security Domain (CUSD) refer to page 62 of the RSA Authentication Manager 8.3 Bulk Administration Utility (AMBA) Guide.

The syntax will be as follows: 
Action,DefLogin,SecurityDomain,DestinationSecurityDomain,MiscVariable
CUSD,<all>,MyOldSecDomain,MyNewSecDomain,4


 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 07:14 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.