Users who were internal users that were migrated from the internal database to an external identity source using the export and import tool from the Security Console (Administration > Export/Import Tokens and Users > Export Tokens and Users). These affected users had the Force Password Change flag turned on while they were internal users.
A check of the User in Edit mode within the Security Console shows the Force Password Change flag is enabled for the affected users.
Trying to uncheck the option for the Force Password Change flag throws the following error:
Take a full backup of the database from the Operations Console (Maintenance > Backup and Restore > Backup Now) or take a snapshot of the virtual server.
Launch an SSH client, such as PuTTY
Login to the primary Authentication Manager server as rsaadmin either at the local console or secure shell. If it is not already configured, see Enable Secure Shell on the Appliance.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter the operating system password>
Last login: Mon Oct 17 12:11:02 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
Navigate to /opt/rsa/am/utils.
Capture the database password string, entering the Operations Console administrator and password when prompted.
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter the Operations Console administrator name>
Please enter OC Administrator password: <enter the Operations Console administrator password>
Connect to the PostgreSQL database.
rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password string captured from Step 4 above>
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
Run the following SELECT query from the db# prompt:
db=# SELECT change_password_flag, loginuid, id FROM ims_principal_data WHERE loginuid = '<Affected UserID>';
The affected users will have the change_password_flag column set to true.
Run the following UPDATE query from the db# prompt