AnsweredAssumed Answered

How to activate an Online Emergency Token Code though API ?

Question asked by Thomas Ricou on Sep 28, 2018
Latest reply on Oct 2, 2018 by Ted Barbour

Like • Show 0 Likes0
Comment • 7

Hi,

Actually, I managed to do basic tasks with powershell though New-WebServiceProxy. I can assign/unassign tokens to (Active Directory) users making some verifications like making sure nobody gets 2 tokens.

I would like now to permit one of my user to use a temporary Fixed Token code for let's say 2 weeks. I need to allow authentication with the token at any time and then disable online emergency tokencode.

First, I don't know the good workflow for this, I mean, do my code choose the code or will the response contain it ? Do I have to create an empty TokenEmergencyAccessDTO, fill it with parameters and then user the update command ? How does the GenerateEmergencyAccessCodeCommand command work ?

I can't find the procedural steps to permit my user to use an emergency token code though the API.

Since I already had a command server and a sessionid, I tried :

1. GenerateEmergencyAccessCodeCommand

$query = New-Object rsaapi.GenerateEmergencyAccessCodeCommand
$query.tokenGuid = $token.id

$CommandServer.executeCommand($loginCommand.sessionId, $query)

I get the following error while I can't specify an identity source : com.rsa.command.exception.DataNotFoundException: IdentitySource-Lookup : IdentitySource Guid is not specified

2. LookupTokenEmergencyAccessCommand

I could not make it work

3. UpdateTokenEmergencyAccessCommand

I could not make it work neither by passing a tokenEmergencyAccesDTO :

algorithm                       : 0
clearUnusedCodes                : False
downloadNewEaTokenCode          : False
eaExpiration                    : 30/09/2018 00:00:00
eaMode                          : 1
eacExpiresOn                    :
emergencyAccessTokenCode        :
emergencyAccessTokenCodeAllowed : True
id                              :
lastEaAuth                      :
lastTFTAuth                     :
lostMode                        : 0
numUnusedCodes                  : 0
offlineAuthAllowed              : False
oneTimeTokencodeSet             :
serialNumber                    : 000505193721
temporaryFixedTokencode         : 852963
tftExpiration                   :
tokenLost                       : False
tokenType                       : 0
validDownloadedData             : False
validOfflineData                : False
validOnlineData                 : False

Well any help in activating Emergency access code with API would be much appreciated !

Ted Barbour

Oct 2, 2018 10:01 AM

Correct Answer

Hi Thomas - I see that you have opened a support case with RSA. That's probably the route to go as I have too many unanswered questions to efficiently troubleshoot this in the forum.

Thanks,

Ted

See the reply in context

No one else had this question

Outcomes

7 Replies

Ted Barbour Sep 28, 2018 1:59 PM
Mark Correct
Correct Answer
Hi Thomas - here is some rough test code (java) around generating emergency code. Hopefully this will get you headed in the right direction…

//Lookup token guid
LookupTokenCommand lookup = new LookupTokenCommand();
lookup.setSerialNumber(sn);
lookup.execute();
TokenDTO token = lookup.getToken();
//set up emergency access
LookupTokenEmergencyAccessCommand lookupEA = new LookupTokenEmergencyAccessCommand();
lookupEA.setGuid(token.getId());
lookupEA.execute();
TokenEmergencyAccessDTO eac = lookupEA.getTokenEmergencyAccess();
eac.setTokenLost(true);
eac.setLostMode(TokenDTO.DISABLE_EA_ON_AUTH);
eac.setEaMode(1); //fixed tokencode
eac.setEaExpiration(new Date(109,8,16)); //September 16, 2009
//generate and set code
GenerateEmergencyAccessCodeCommand genEAC = new GenerateEmergencyAccessCodeCommand();
genEAC.setTokenGuid(token.getId());
genEAC.execute();
String code = genEAC.getEmergencyAccessCode();
eac.setTemporaryFixedTokencode(code);
System.out.println("EAC for "+ sn + "is: "+ code); //display the EA tokencode
//apply the EA settings - equivalent to the "Save" button on the SC GUI
UpdateTokenEmergencyAccessCommand updateEA = new UpdateTokenEmergencyAccessCommand(eac);
updateEA.execute();
Like • Show 0 Likes0
Actions
- Thomas Ricou @ Ted Barbour on Oct 1, 2018 5:19 AM
  Mark Correct
  Correct Answer
  Hi Ted,
  
  I just ran into the process you described (thanks a lot for it) but when I use the LookupTokenEmergencyAccess Command, I get the following error : com.rsa.command.exception.DataNotFoundException: IdentitySource-Lookup : IdentitySource Guid is not specified
  
  Would you have any clue about this ?
  
  Thanks.
  Like • Show 0 Likes0
  Actions
  - Thomas Ricou @ Thomas Ricou on Oct 1, 2018 6:51 AM
    Mark Correct
    Correct Answer
    Same with GenerateEmergencyAccessCodeCommand
    Like • Show 0 Likes0
    Actions
    - Ted Barbour @ Thomas Ricou on Oct 1, 2018 11:45 AM
      Mark Correct
      Correct Answer
      Please see the AdminAPIDemos example code in the SDK for example of obtaining an identity source identifier:
      
      …
      public AdminAPIDemos() throws Exception {
              SearchRealmsCommand searchRealmCmd = new SearchRealmsCommand();
              searchRealmCmd.setFilter(Filter.equal(RealmDTO.NAME_ATTRIBUTE, "SystemDomain"));
              searchRealmCmd.execute();
              RealmDTO[] realms = searchRealmCmd.getRealms();
              if (realms.length == 0) {
                  throw new Exception("ERROR: Could not find realm SystemDomain");
              }
              domain = realms[0].getTopLevelSecurityDomain();
              idSource = realms[0].getIdentitySources()[0];
      …
      
      Beyond that we would need to see your code and the stack trace/error being thrown to try to help further.
      
      Ted
      
      Like • Show 0 Likes0
      Actions
      - Thomas Ricou @ Ted Barbour on Oct 1, 2018 12:14 PM
        Mark Correct
        Correct Answer
        Actually I don't have any trouble getting the idSource when needed but here, I get the error on a function that doesn't ask for the idSource.
        You can copy/paste this code into connect_rsaapi.ps1 (it complies with my company's coding rules) :
        function rsa_set_globals(
            [string]$rsa_server = "<your RSA AM server>",
            [string]$admin_login = '<your login>',
            [SecureString]$admin_password, # can be passed through : $admin_password = read-host -AsSecureString
            [string]$api_login = "CmdClient_********",
            [string]$api_password = "******************************"
        ) {
           write-host "Récup WSDL et creation namespace rsaapi" -ForegroundColor DarkCyan
           $secpass=ConvertTo-SecureString $api_password -AsPlainText -Force
           $cred=New-Object System.Management.Automation.PSCredential($api_login, $secpass)
           [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
           $securIDWebWervice = New-WebServiceProxy -Uri "https://${rsa_server}:7002/ims-ws/services/CommandServer?wsdl" -Namespace rsaapi -Credential $cred
        
           write-host "Créer le server de commandes" -ForegroundColor DarkCyan
           $Global:CommandServer = New-Object rsaapi.CommandServerService
           $Global:CommandServer.Credentials=$cred
           $Global:CommandServer.Url="https://${rsa_server}:7002/ims-ws/services/CommandServer"
        
           write-host "Mise en forme des identifiants de $admin_login" -ForegroundColor DarkCyan
           $userNameParam=New-Object rsaapi.FieldParameterDTO
           $userNameParam.promptKey="AUTHENTICATIONSERVICE_PRINCIPALID"
           $userNameParam.value = $admin_login
        
           $userPasswordParam=New-Object rsaapi.FieldParameterDTO
           $userPasswordParam.promptKey = "PASSWORD_CREDENTIAL"
           $userPasswordParam.value = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($admin_password))
        
           [rsaapi.AbstractParameterDTO[]]$paramsArray=@($userNameParam,$userPasswordParam)
        
           write-host "Connexion de $admin_login" -ForegroundColor DarkCyan
           $Global:loginCommand = New-Object rsaapi.LoginCommand
           $Global:loginCommand.authenticationMethodId="LDAP_Password"
           $Global:loginCommand.parameters=$paramsArray
           $Global:loginCommand=$Global:CommandServer.executeCommand([System.Management.Automation.Language.NullString]::Value , $loginCommand)
        
           if (! $loginCommand.authenticationState.Equals("authenticated")) {
               write-host "Login et/ou mot de passe incorrects" -ForegroundColor Red
               throw "Login et/ou mot de passe incorrects"
           }
        }
        
        function rsa_get_idsource (
           [string]$nom = "<Your Id source Name (Active directory domain for me)>"
        ) {
           $query = New-Object rsaapi.GetIdentitySourcesCommand
           $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           return ($result.identitySources | where {$_.name -like $nom})
        }
        
        function rsa_get_user(
           [Parameter(Mandatory=$True)][string]$login,
           [int]$min = 1,
           [int]$max = 1,
           [int]$search_limit = 5000 # I used the dirty way here...I know...
        ) {
           $query = New-Object rsaapi.SearchPrincipalsCommand
           $query.identitySourceGuid = (rsa_get_idsource).guid
           $query.limit = $search_limit # I used the dirty way here...I know...
           try {
               $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           } catch {
               Write-host "Impossible de retrouver l'utilisateur $Login :" $Error[0].Exception.Message -ForegroundColor Red
               throw $Error[0]
           }
        
           $principals = $result.principals | where {$_.userID -like $login}
        
           if ($principals.count -lt $min) {
               Write-Host "On n'a pas trouvé assez d'utilisateurs avec" $login ":" $principals.count "au lieu de minimum" $min -ForegroundColor Red
               throw "Pas assez d'utilisateurs trouvés"
           } elseif ($principals.count -gt $max) {
               Write-Host "On a trouvé trop d'utilisateurs avec" $login ":" $principals.count "au lieu de maximum" $max -ForegroundColor Red
               throw "Trop d'utilisateurs trouvés"
           }
           return $principals
        }
        
        function rsa_get_token (
           [Parameter(Mandatory=$True)][long]$serialNumber
        ) {
           $query = New-Object rsaapi.LookupTokenCommand
           $query.serialNumber = "{0:D12}" -f $serialNumber
           try {
               $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           } catch {
               Write-host "Impossible de trouver le token $Token_number :" $Error[0].Exception.Message -ForegroundColor Red
               throw $Error[0]
           }
           return $result.token
        }
        
        function rsa_link_token_to_user (
           [Parameter(Mandatory=$True)][rsaapi.PrincipalDTO]$user,
           [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token
        ) {
           $query = New-Object rsaapi.LinkTokensWithPrincipalCommand
           $query.principalGuid = $user.guid
           $query.tokenGuids    = $token.id
           try {
               $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           } catch {
               Write-host "Impossible de d'associer le token" $Token.serialNumber "à" $User.userID ":" $Error[0].Exception.Message -ForegroundColor Red
               throw $Error[0]
           }
        }
        
        function rsa_get_user_tokens (
           [Parameter(Mandatory=$True)][rsaapi.PrincipalDTO]$user
        ) {
           $query = New-Object rsaapi.ListTokensByPrincipalCommand
           $query.principalId = $user.guid
           $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           return $result.tokenDTOs
        }
        
        function rsa_unassign_token (
           [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token
        ) {
           $query = New-Object rsaapi.UnlinkTokensFromPrincipalsCommand
           $query.tokenGuids = $token.id
           try {
               $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           } catch {
               Write-host "Impossible de libérer le token" $Token.serialNumber "associé à '" $token.assignedUserId "' :" $Error[0].Exception.Message -ForegroundColor Red
               throw $Error[0]
           }
        }
        
        Add-Type -TypeDefinition @"
           public enum EA_mode
           {
              DISABLE_EA_ON_AUTH=1,
              DISABLE_EA_ON_EXPIRE=2,
              DISABLE_EA_NEVER=3
           }
        "@
        
        function rsa_emergency_code (
           [Parameter(Mandatory=$True)][rsaapi.TokenDTO]$token,
           [Parameter(Mandatory=$True)][EA_mode]$mode,
            [Parameter(Mandatory=$True)][DateTime]$expiration
        ) {
            # Générer un code
           $query = New-Object rsaapi.GenerateEmergencyAccessCodeCommand
           $query.tokenGuid = $token.id
           try {
               $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           } catch {
               Write-host "Impossible de générer un code d'accès pour le token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
               throw $Error[0]
           }
            $code = $result.emergencyAccessCode # the try clause has never wroked so I'm not sure this is the correct property name
        
            # Récupérer l'emergency access du token
           $query = New-Object rsaapi.LookupTokenEmergencyAccessCommand
           $query.Guid = $token.id
           try {
               $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           } catch {
               Write-host "Impossible de trouver l'accès d'urgence du token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
               throw $Error[0]
           }
            $tokenEA = $result.tokenEmergencyAccess # the try clause has never wroked so I'm not sure this is the correct property name
        
            # Envoyer le code générer pour l'emergency access du token
            $tokenEA.tokenLost = $true
            $tokenEA.lostMode = [int]$mode
            $tokenEA.eaMode = 1 # Fixed token code
            $tokenEA.eaExpiration = Get-Date $a -Format 'MM/dd/yyyy'
            $tokenEA.temporaryFixedTokencode = $code
           $query = New-Object rsaapi.UpdateTokenEmergencyAccessCommand
           $query.tokenEmergencyAccessDTO = $tokenEA
           try {
               $result = $CommandServer.executeCommand($loginCommand.sessionId, $query)
           } catch {
               Write-host "Impossible de pousser le code" $code "pour le token" $token.serialNumber ":" $Error[0].Exception.Message -ForegroundColor Red
               throw $Error[0]
           }
        }
        
        Then, you can run in a powerhsell console :
        
        $Token_number = '12345678' # of an attributed token, of course
        $days = 7 # days to enable EA code, starting today
        $admin_login = $env:USERNAME # or login of the adminitrator connectong to the AM
        $admin_password = read-host -AsSecureString # password of this token administrator
        
        $ErrorActionPreference = "Stop"
        
        #Chargement modules
        Write-Host "Chargement console RSA" -ForegroundColor Cyan
        . connect_rsaapi.ps1
        rsa_set_globals -admin_login $admin_login -admin_password $admin_password
        
        $token = rsa_get_token -serialNumber $Token_number
        
        rsa_emergency_code -token $token -mode DISABLE_EA_ON_AUTH -expiration (Get-Date).AddDays($jours)
        Like • Show 0 Likes0
        Actions
      - Thomas Ricou @ Ted Barbour on Oct 1, 2018 12:19 PM
        Mark Correct
        Correct Answer
        If you run parts of my rsa_emergency_code function, then you will see that the GenerateEmergencyAccessCodeCommand and LookupTokenEmergencyAccessCommand does not contain an identitySourceGuid property (New-Object rsaapi.LookupTokenEmergencyAccessCommand | gm) unlike the "New-Object rsaapi.SearchPrincipalsCommand | gm" does.
        Like • Show 0 Likes0
        Actions
        Ted Barbour @ Thomas Ricou on Oct 2, 2018 10:01 AM
        Unmark Correct
        Correct Answer
        Hi Thomas - I see that you have opened a support case with RSA. That's probably the route to go as I have too many unanswered questions to efficiently troubleshoot this in the forum.
        
        Thanks,
        Ted
        Like • Show 1 Like1
        Actions

How to activate an Online Emergency Token Code though API ?

Outcomes

Related Content

Recommended Content