When RSA SecurID token seed files are imported into RSA Authentication Manager, they are set to Disabled by default and are enabled automatically when assigned or edited. However, when a user requests a token through the Self-Service Console with automatic approval (0 steps), the email to the end user requires the user to enable/activate the token.
This can be confusing to end users and can generate Help Desk calls, especially since the steps to activate the token are listed first in the email, but will not work until token is first set to Enabled. This article provides a workaround for this situation.
To work around this issue, an RSA Authentication Manager administrator will need to:
Either enable unassigned tokens in bulk through the Security Console, or
Enable all disabled tokens through a SQL update command in the PostgreSQL database.
Enable unassigned tokens in bulk through the Security Console
A simple work-around would be enable the tokens in bulk in the Security Console?. Note that a maximum of 500 unassigned tokens can be selected at a time.
From the Security Console, select Authentication > SecurID Tokens > Manage Existing.
Click on the Unassigned tab.
In the Search Criteria options, define the Security Domain and search for All Unassigned Tokens.
When the results come back, place a check next to the tokens you wish to enable.
As in the screenshot below, change the Action box to Enable.
After clicking Go, the green check is removed from the Disabled column, indicating the token is now enabled for use. Now the user can successfully request token through Self Service Console.
Enable all disabled tokens through a SQL UPDATE command in the PostgreSQLdatabase
Launch an SSH client, such as PuTTY, vSphere or a direct connection
Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
Navigate to /opt/rsa/am/utils.
Obtain the database password with the command ./rsautil manage-secrets -a get com.rsa.db.dba.password. This password is unique for each deployment of RSA Authentication Manager.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Oct 7 16:31:13 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
Navigate to /opt/rsa/am/pgsql/bin.
Connect to the PostgreSQL database:
rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba:
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
Run the following SELECT statement:
db=# SELECT serial_number,IS_ENABLED FROM am_TOKEN WHERE IS_ENABLED='f';
serial_number | is_enabled
000031701333 | f
000031701334 | f
000031701335 | f.
The list of token serial numbers displayed here should match the tokens shown as Disabled in the Security Console UI.
Enabled these tokens with an UPDATE command that sets the IS_ENABLED value from false to true:
db=# UPDATE rsa_rep.AM_TOKEN set IS_ENABLED='t' WHERE IS_ENABLED='f';
Refresh the Security Console and compare the list of tokens with the tokens in the UI to confirm the token flag was updated successfully and the tokens are now listed as enabled.