If super admin credentials do not allow access to the RSA Authentication Manager Security Console, the rsautil named
restore-admin can be used to create a temporary administrative user that can access the Security Console and reset the initial admin's credentials.
New Content! For a follow along video on the password reset process, please
watch the companion video.
Super admin credentials will fail to the Security Console if one or more of the following are true:
- The super admin password is incorrect;
- The super admin account is locked;
- Authentication settings were changed to settings that will not allow login; and/or
- All known super admin users were deleted from the database.
The preferred method to fix this issue is to have another super admin login to the Security Console and unlock the affected admin(s) then fix the authentication settings, as appropriate. If the lockout policy that applies to the super admin allows auto-unlock, wait for the account to unlock.
If the methods above do not resolve the issue, the restore-admin utility can be used to create a temporary super admin and the authentication policy can be reset to the default.
Prerequisites
- SSH access to the server must be enabled. To do this, login to the Operations Console and select Administration >Operating System Access and check the option to enable SSH on eth0 then click Save.
- Operating system password for the rsaadmin user.
- Operations Console admin user name and password.
On the command line
To begin,
- Access the operating system using SSH, the vSphere client for a virtual appliance or with a keyboard and monitor connection to a hardware appliance.
- Login as the rsaadmin user.
- Navigate to /opt/rsa/am/utils
- Enter the command ./rsautil restore-admin -u <temporary admin user name> -p <temporary admin user password>, as in the example below.
When creating the password, please note that the password must be between 8 and 32 characters, have at least one alphabetic character, and at least one special character, excluding spaces, @, and ~.
- When prompted for the Operations Console administrator username, enter the information and press Enter.
- When prompted, enter the password for the Operations Console administrator keyed in above and press Enter.
- A prompt will display asking "Are you sure you want to continue? (Y/N)," type Y and press Enter.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS user password>
Last login: Fri Sep 18 18:18:20 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil restore-admin -u tempAdmin -p tempPassword!
Please enter OC Administrator username: <enter Operations Console admin name>
Please enter OC Administrator password: <enter Operations Console admin's password>
A temporary admin will be created with user ID 'tempAdmin'.
Are you sure you want to continue? (Y/N): y
Admin created successfully.
*****************************************************************************
Note
1) The 'tempAdmin's console access will expire on Tue Sep 29 09:20:56 EDT 2015.
2) Console authentication policy is changed to RSA_Password/LDAP_Password. In order to make the
policy change effective please flush the cache through operations console.
*****************************************************************************
rsaadmin@am81p:/opt/rsa/am/utils>
In the user interface
- Login to the Operations Console using the Operations Console admin's credentials.
- Click Maintenance > Flush Cache. If prompted, enter the credentials for the super admin user created above and click OK.
- Under Flush Cache, select Flush all cache objects and click Flush.
- Using the temporary admin account created above, login to the Security Console.
- Select Identity > Users > Manage Existing and search for the initial super admin that was not able to login to the Security Console. From the context arrow next to the admin name choose Edit.
- Review the super admin account:
- If the super admin is in the internal database and uses a password to authenticate to the Security Console,
- Scroll to the Password section, update the password for the admin. Click Save when done.
- Scroll to the Account Information section. If the user is locked, unlock the user and click Save.
- If the super admin is in an external identity source database and uses an LDAP password to authenticate,
- Update the password through the external identity source's GUI. Note that RSA recommends that super admin users exist in the internal database and not in an external identity source. This allows admin users the ability to login to the Security Console and Operations Console even if connectivity to the external identity source is down.
- If the super admin uses a token to authenticate, navigate to Authentication > SecurID Tokens > Manage Existing and search for the super admin's token. From the context arrow, click Resynchronize. At the prompt, have the admin provide the tokencode seen on the token without the PIN. If the admin has a software token, enter 0000 into the token app to ensure only the tokencode (digits seen on the token) and not the passcode (PIN + tokencode) is used for resynchronizing the token.
- Launch the authentication activity monitor (Reporting > Real Time Activity Monitors > Authentication Activity Monitor).
- Using a different browser, have the admin try to login to the Security Console to confirm the changes worked and authentication is now successful.
- When creating the new admin, the following message displayed in the console session: Console authentication policy is changed to RSA_Password/LDAP_Password. If that needs to be updated, select Setup > Security Console Authentication Methods. Under Console Authentication, add or remove the methods available based on your company's security policies. Click Save. Making a change here requires that the cache be flushed again as in steps 2 - 3.