RSA Authentication Manager 7.1RSA SecurID Appliance 3.0
Internal Only. This solution is not officially supported, and should only be used as a last resort. This solution has significant issues, and the customer should be STRONGLY encouraged to locate the correct Master Password, instead of using this solution. This includes such mundane things as verifying they are using a good keyboard.
How do I reset the master password when it is not known?
Master password was forgotten or is not known.
IMPORTANT UPDATE: 07/06/2021
Should a customer reach out to RSA support for help with resetting the master password when it is not known, the support scope is to engage Professional services/Senior engineer through their accounts manager.
DO NOT SUPPLY THIS TO CUSTOMERS WITHOUT MANAGEMENT APPROVAL! Management needs to be informed about this situation, and they need to approve supplying this information or the file to customers. If the situation is critical, do highlight the same to your reporting manager for help.
Verify that customer really needs to reset an unknown Master Password, and NOT a SuperAdmin, Operations Console Admin, or Operating System password.
Technical support should refrain from supplying the jar file to customers by any means.
This can be done with a hotfix and new CLU.
1. The customer has applied the latest hotfix rollup or is at SP2 or higher.
2. The reset-masterpwd.jar file has been installed on the primary server. This file must be copied to the %RSAHOME%/utils/lib. (For the Appliance you will need to transfer the file to /tmp as emcsrv then move it as root) For the Appliance and other Non-Windows versions change the file permissions as follows:
chmod 600 reset-masterpwd.jar
chown rsaadmin reset-masterpwd.jar
chgrp rsaadmin reset-masterpwd.jar
Use the correct user and group of course...
To run the utility cd to the utils folder and run:
Enter New Master Password: **********
Confirm New Master Password: **********
Properties from %RSAHOME%\utils\etc\systemfields.properties recovered successfully.
To run it more than once you will need to delete the utils\etc\systemfields.properties.backup file created during the first run
One important note. If you use Radius this doesn't change the master password that the configutil command expects, so to finish the process run:
%RSAHOME%/config/configUtil configure util-config updateAdmin -R master.password=<newpassword> -R superadmin.username=<xyz> -R superadmin.password=<xyz>
NOTE: This part is only available with the latest hotfix rollup or SP2. If you are not using Radius this is not required, but strongly recommended, because you may use Radius in the future.
After using this tool to reset the Master Password, run a backup.
Downloadable PDF with AM 7.1 Password Purgatory explanationhttps://knowledge.rsasecurity.com/patches/attach/a57342_Password.pdf
Note: SP2 includes a newer version of existing utilities. From the release notes:
To recover the master password, you must create at least one additional RSA Operations Console administrator immediately after installing Authentication Manager. Make sure that this administrator has a password that is different from the master password. All Operations Console administrators can run the manage-secrets CLU to recover the system fingerprint, which is initially encrypted using the master password.
The manage-secrets CLU has five new options:
- -u, --user
User name for the encrypted properties file.
- -p, --password
Password of the user for the encrypted properties file.
- -N, --new-master-pwd
New master password for 'change' action.
- -f, --file
Password-protected file to import, export, or load.
- -F, --force
Force an overwrite of the administrator credentials with an imported file.
The manage-backup CLU has two new options:
- -u, --user
Operations Console administrator user name for the encrypted properties file.
- -p, --password
Operations Console administrator password for the encrypted properties file.
You can use these options to run the CLU when you cannot access the master password.