We use the extendable capability for software tokens to lengthen the time we need to redeploy soft tokens, however for accounting purposes, we don't see a way to enumerate what was done. Is there a way to report on extended tokens?
Ideally we would be able to show users with extended tokens, and what the serial numbers are for the soft tokens that were used to extend it.
Thank you Edward Davis, you have confirmed my suspicion. If you might guide me on the necessary steps to accomplish querying the RSA database for information to receive similar output. That seems to be the solution we need.
easiest way, SSH to Linux OS on Primary AM server, with PuTTy or whatever app.
You would need to first enable SSH in the AM Operations Console - Admin - Operating System Access
You'll need to know the Operating System account and Password, the account is typically named rsaadmin and the password was set during Quick Setup.
Use PuTTy or other SSH app to connect to the Primary and logon with OS credentials
In order to access the PGSql database, you need to;
1. obtain your database dba password - with an rsautilty command, refer to this KB for help 000016923 - How to run a SQL query for Authentication Manager 8.0 or 8.1 and write the output to a file for support
2. logon to the database as an administrator with full rights, so either be careful and only run select commands or create a read-only database user. To do this;
a. cd /opt/rsa/am/utils
b. ./rsautil manage-database -a create-readonly-user -r jayg -p passw0rd
This will create read-only DB User = jayg with password = passw0rd
Either way, after this you can run Ed' SQL command.
Hi Jay, I will use that to make a read only user, however the output as described in the article needs further massaging for our auditing team to use. Is that how Edward Davis extracted the information, or is there a tool or method that is quicker to get this?
Ed's using some remote SQL app from his Windows Desktop, instead of from Linux. The
/rsautil manage-database -a create-readonly-user
(I've also seen it documented as ./rsautil manage-readonly-dbusers in earlier versions of AM 8.0)
https://community.rsa.com/docs/DOC-45361
has an -i switch for an IP address or subnet, that opens a hole in the AM iptables Firewall to allow that IP or subnet range to have access through TCP port 7050 to pgsql.
You could also add the output option, -o /tmp/sql_output.txt to your command to start PGsql, ./psql -h localhost -p 7050 -d db -U rsa_dba
then use WinSCP to copy sql_output.txt off the AM server and use Xcel to manipulate it.
When listing tokens, this will be in the columns
If I unassign extended tokens, they will still show the info about being extended and by what ser number:
(in my example the extension token did happen to expire on 2/18/2018, but the original token was expired back in 2014)
However, the reports for software tokens, or users with tokens, only works on expiration date or serial number range, they do not have a field for 'extension token'.
---
More custom information can be had with an SQL query.
This example shows two extended tokens for internal database user ZAZ,
and one extended [and expired] token assigned to ldap user CFITZ,
with some details (there are far more columns available in both am_token and ims_principal_data)
SELECT
am_token.serial_number,
am_token.extension_mode,
am_token.extend_token_sn,
am_token.orig_token_shutdown_date,
am_token.token_shutdown_date,
ims_principal_data.loginuid
FROM
rsa_rep.am_token,
rsa_rep.ims_principal_data
WHERE
am_token.principal_id = ims_principal_data.id
and
am_token.extension_mode = '1';