This can be done with a hotfix and new CLU.
Prerequisites:
1. The customer has applied the latest hotfix rollup or is at SP2 or higher.
2. The reset-masterpwd.jar file has been installed on the primary server. This file must be copied to the %RSAHOME%/utils/lib. (For the Appliance you will need to transfer the file to /tmp as emcsrv then move it as root) For the Appliance and other Non-Windows versions change the file permissions as follows:
chmod 600 reset-masterpwd.jar
chown rsaadmin reset-masterpwd.jar
chgrp rsaadmin reset-masterpwd.jar
Use the correct user and group of course...
To run the utility cd to the utils folder and run:
rsautil reset-masterpwd
Enter New Master Password: **********
Confirm New Master Password: **********
Properties from %RSAHOME%\utils\etc\systemfields.properties recovered successfully.
To run it more than once you will need to delete the utils\etc\systemfields.properties.backup file created during the first run
One important note. If you use Radius this doesn't change the master password that the configutil command expects, so to finish the process run:
%RSAHOME%/config/configUtil configure util-config updateAdmin -R master.password=<newpassword> -R superadmin.username=<xyz> -R superadmin.password=<xyz>
NOTE: This part is only available with the latest hotfix rollup or SP2. If you are not using Radius this is not required, but strongly recommended, because you may use Radius in the future.
After using this tool to reset the Master Password, run a backup.
Note: SP2 includes a newer version of existing utilities. From the release notes:
To recover the master password, you must create at least one additional RSA Operations Console administrator immediately after installing Authentication Manager. Make sure that this administrator has a password that is different from the master password. All Operations Console administrators can run the manage-secrets CLU to recover the system fingerprint, which is initially encrypted using the master password.
The manage-secrets CLU has five new options:
The manage-backup CLU has two new options:
You can use these options to run the CLU when you cannot access the master password.