This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

The utility manage-readonly-dbusers does not work to subnet in spite of using -n option with RSA Authentication Manager 8.2 SP1 and above

Article Number

000038141

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 SP1, 8.3, 8.4 patch 6

Issue

When running ./rsautil manage-readonly-dbusers CLU with the -n option, the expected result is that the user is created, and the subnet is allowed to access.  The user is created, but the subnet is not accessible.

Cause

Firewall, iptables, does not allow to the subnet specified.  For example:
  1. You created a new database readonly user using the command below. Where -X (debug mode) -a (action - create) -o (OC user) -u (new db username) -i (IP address of client) -n (IP mask of client machine(s)).

 
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-readonly-dbusers -X -a create -o ocadmin -u dbreaduser -i 10.114.187.0 -n 255.255.255.0
Enter Operations Console (OC) password: <enter Operations Console admin password>
Enter password for the read-only database user: <enter read-only database user password>
Confirm password for the read-only database user: <re-enter read-only database user password>
Executing action: 'create'.
Trusted Root SSL CA certificate was copied in file '/opt/rsa/am/utils/RSAAMTrustedRootSSLCA.crt'.
'create' action complete.
  1. Cat the pg_hba.conf file for the name of the read only user:
rsaadmin@am82p:/opt/rsa/am/utils> cat /opt/rsa/am/rsapgdata/pg_hba.conf | grep dbreaduser
hostssl all             dbreaduser      10.114.187.0    255.255.255.0           md5
  1. Change to the root user and check iptables for port 7050, using options to list the rules with numeric output:
# rsaadmin@am82p:/opt/rsa/am/utils> sudo su -
rsaadmin's password: <enter operating system password>
am82p:~ # /usr/sbin/iptables -L -n -v | grep 7050
0 0 ACCEPT tcp – * * 10.114.187.0 0.0.0.0/0 tcp dpt:7050 
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7050
  1. Cat iptables for references to port 7050 to confirm changes:
am82p:~ # cat /etc/sysconfig/iptables | grep 7050
-A INPUT -s 10.114.187.0/32 -p tcp -m tcp --dport 7050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7050 -j DROP

Workaround

Edit /etc/sysconfig/iptables directly.
  1. Enable Secure Shell on the Appliance
  2. Log On to the Appliance Operating System with SSH
  3. Switch to the root user 
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Thu Jan  2 15:50:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:~> sudo su -
rsaadmin's password: <enter operating system password>
  1. Edit /etc/sysconfig/iptables.  For example, change from /32, as shown:
-A INPUT -s 10.24.0.0/32 -p tcp -m tcp --dport 7050 -j ACCEPT
to /24:
-A INPUT -s 10.24.0.0/24 -p tcp -m tcp --dport 7050 -j ACCEPT
  1. Restart the iptables service:
am82p:~ # service iptables restart
Restarting iptables  

Notes

You need to turn setting back to the original if you would like to delete this user.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:13 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.