This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How do I reset the master password when it is not known?

Article Number

000026750

Applies To

RSA Authentication Manager 7.1
RSA SecurID Appliance 3.0
Internal Only.  This solution is not officially supported, and should only be used as a last resort. This solution has significant issues, and the customer should be STRONGLY encouraged to locate the correct Master Password, instead of using this solution.  This includes such mundane things as verifying they are using a good keyboard.

Issue

How do I reset the master password when it is not known?
Master password was forgotten or is not known.

IMPORTANT UPDATE: 07/06/2021

Should a customer reach out to RSA support for help with resetting the master password when it is not known, the support scope is to engage Professional services/Senior engineer through their accounts manager. 
  
DO NOT SUPPLY THIS TO CUSTOMERS WITHOUT MANAGEMENT APPROVAL! Management needs to be informed about this situation, and they need to approve supplying this information or the file to customers. If the situation is critical, do highlight the same to your reporting manager for help. 

Verify that customer really needs to reset an unknown Master Password, and NOT a SuperAdmin, Operations Console Admin, or Operating System password. 

Technical support should refrain from supplying the jar file to customers by any means. 

Resolution

This can be done with a hotfix and new CLU.

Prerequisites:

1.  The customer has applied the latest hotfix rollup or is at SP2 or higher.
2.  The reset-masterpwd.jar file has been installed on the primary server.  This file must be copied to the %RSAHOME%/utils/lib. (For the Appliance you will need to transfer the file to /tmp as emcsrv then move it as root) For the Appliance and other Non-Windows versions change the file permissions as follows:

chmod 600 reset-masterpwd.jar
chown rsaadmin reset-masterpwd.jar
chgrp rsaadmin reset-masterpwd.jar

Use the correct user and group of course...


To run the utility cd to the utils folder and run:
 

rsautil reset-masterpwd

Enter New Master Password: **********

Confirm New Master Password: **********

Properties from %RSAHOME%\utils\etc\systemfields.properties recovered successfully.


To run it more than once you will need to delete the utils\etc\systemfields.properties.backup file created during the first run


One important note. If you use Radius this doesn't change the master password that the configutil command expects, so to finish the process run:

%RSAHOME%/config/configUtil configure util-config updateAdmin -R master.password=<newpassword> -R superadmin.username=<xyz> -R superadmin.password=<xyz>

NOTE: This part is only available with the latest hotfix rollup or SP2.  If you are not using Radius this is not required, but strongly recommended, because you may use Radius in the future.

After using this tool to reset the Master Password, run a backup.
 

Downloadable PDF with AM 7.1 Password Purgatory explanation
https://knowledge.rsasecurity.com/patches/attach/a57342_Password.pdf

Notes

Note: SP2 includes a  newer version of existing utilities. From the release notes:

To recover the master password, you must create at least one additional RSA Operations Console administrator immediately after installing Authentication Manager. Make sure that this administrator has a password that is different from the master password. All Operations Console administrators can run the manage-secrets CLU to recover the system fingerprint, which is initially encrypted using the master password.

The manage-secrets CLU has five new options:

  • -u, --user
    User name for the encrypted properties file.
  • -p, --password
    Password of the user for the encrypted properties file.
  • -N, --new-master-pwd
    New master password for 'change' action.
  • -f, --file
    Password-protected file to import, export, or load.
  • -F, --force
    Force an overwrite of the administrator credentials with an imported file.

The manage-backup CLU has two new options:

  • -u, --user
    Operations Console administrator user name for the encrypted properties file.
  • -p, --password
    Operations Console administrator password for the encrypted properties file.

You can use these options to run the CLU when you cannot access the master password.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-06-11 01:36 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.