Managing REST Protocol Authentication Agent Credentials

After you use the SecurID Authentication API to regenerate agent credentials, either in the Security Console or on a command line, you must provide REST protocol authentication agents with the new Access ID and Access Key. To make this process easier and more flexible:

  • You can restore the previous agent credentials, for example, if the new credentials were regenerated by mistake. When you restore the previous credentials, the credentials that you replaced can be used for authentication.
  • After you regenerate or restore the agent credentials, REST Protocol authentication agents can use the previous Access ID and Access Key for 60 days or a timeframe that you specify. This allows authentication to continue until the agents receive the new credentials. If necessary, you can extend the timeframe.
  • You can list the current and previous credentials.
  • System audit logs indicate when authentication agents use the previous credentials.

Note: If you feel as though the Access ID and Access Key have been compromised, regenerate credentials two times before providing the new credentials to your agents.

Before you begin

Obtain the rsaadmin operating system password.

Procedure

  1. Log on to the appliance using an SSH client.
  2. When prompted for the user name and password, enter the operating system User ID, rsaadmin, and the operating system account password.
  3. Change directories:

    cd /opt/rsa/am/utils

  4. To restore the Access ID and Access Key, enter:

    ./rsautil manage-rest-access-credential -a restore

    To regenerate the previous Access ID and Access Key, enter:

    ./rsautil manage-rest-access-credential -a generate

    To list the current and previous Access ID and Access Key, enter:

    ./rsautil manage-rest-access-credential -a list

  5. Restart the services on the primary instance. If there are replica instances, restart the services after replication is complete.
    1. Change directories:

      cd /opt/rsa/am/server

    2. Run the following:

      ./rsaserv restart all

Related Concepts

Configure the SecurID Authentication API for Authentication Agents

Related Tasks

Change the Timeframe for Using REST Protocol Authentication Agent Credentials