A concise guide to updating Auth Manager 7.1 passwords

Goal

How to reset the master password, Security Console password and Operations Console password

How to change master password

How to change Security Console admin password

How to change Operations Console admin password

Fact

Authentication Manager 7.1

RSA SecurID Appliance 3.0

Symptom

Unable to access Operations Console

Unable to access Security Console

Does not have master password

Does not have Operations Console password

Does not have Security Console password

Unable to logon to Operations Console

Unable to logon to Security Console

Cause

During installation of Authentication Manager 7.1 you are asked for a SuperAdmin UserID and password. This UserID and password on day one is used for the following:
1. Security Console Login
2. Operation Console Login
3. MasterPassword
Note: Changing any one of these passwords does not change the others. Each of the Password Values is independent.

Fix

I. Reset the master password when it is lost, or change the master password when it is known.

A) When the current master password is lost or unknown.

· Obtain the reset-masterpwd.jar from RSA Customer Support.

· Copy the jarfile onto the Authentication Manager system.

· Copy the reset-masterpwd.jar into the RSA Authentication Manager\utils\lib directory and run it as follows:

Authentication Manager 7.1 (software)

C:\Program Files\RSA Security\RSA Authentication Manager\utils> rsautil reset-masterpwd

Enter New Master Password: **********

Confirm New Master Password: **********

Properties from C:\PROGRA~1\RSASEC~1\RSAAUT~1\utils\etc\systemfields.properties recovered successfully.

Appliance 3.0

cd /usr/local/RSA Security/RSA Authentication Manager/utils
./rsautil reset-masterpwd

Enter New Master Password: **********

Confirm New Master Password: **********

· If you need to run the rsautil again, you will need to delete the systemfields.properties.backup file created during the first run. Navigate to C:\Program Files\RSA Security\RSA Authentication Manager\utils and run the following command:

del C:\PROGRA~1\RSASEC~1\RSAAUT~1\utils\etc\systemfields.properties.backup

· If, when resetting the master password, the following error displays, then edit rsaenv.cmd to change the entry for CLU_User from User A to User B. Save/close. Test running the password change util again.

Error cannot run as user User A. rsautil can only be run by User B. User not longer exists.

B) When the current master password is known.

Change your master password. Type:
rsautil manage-secrets --action change -N new_password
where new_password is the new master password you want to use.

Press ENTER.

When prompted, type your current master password (the one you want to change), and press ENTER.
The message “Master password changed successfully” appears.

To make sure that your new master password is backed up, copy the systemfields.properties file in
<RSA_HOME>/utils/etc to a secure location using secure networking or removable media.

II. Create a new admin who logs on to the Security Console

· To change this admin password, open a command prompt and navigate to C:\Program Files\RSA Security\RSA Authentication Manager\utils.

· Run the following command to create a user named tempAdmin:

rsautil restore-admin –u tempAdmin –p <password to assign to tempAdmin>

Enter Master Password: **********

A temporary admin will be created with the user ID 'tempAdmin'.

Are you sure you want to continue (Y/N): Y

Admin created successfully.

· Note that tempAdmin's access will expire in 24 hours, so log onto the Security Console as tempAdmin as soon as possible. Once logged on, go to Identity > Users > Manage Existing. Search for your admin user whose password needed to be reset. From the context menu, select Edit. Scroll to the section labeled Password. Key in the correct password for this user and click Save.

III. Change the password for the admin who logs on to the Operations Console

· Open a command prompt and navigate to C:\Program Files\RSA Security\RSA Authentication Manager\utils.

· At the prompt, type the following command to see a list of all Ops Console admins. (Note: All actions for manage-oc-administrators requires the Super Admin name and password. This can be the Security Console admin from the steps above.)

rsautil manage-oc-administrator -a update

Super Administrator's name: tempAdmin

Super Administrator's password: ************

Enter User Name: admin

Enter User Password: ************

Confirm User Password: ************

User 'admin' updated successfully.

· Run the command rsautil manage-oc-administrators -a list to see a list of existing Ops Console admins.

note

There are three passwords that are defined when installing Authentication Manager 7.1 or the RSA SecurID Appliance 3.0.

These passwords are:

· As the master password (which is only used when you have to run command line utilities);

· The password used by the superadmin named Admin to access the Security Console;

· The password used by the Operations Console admin (who is also named Admin but in actuality is a different user) to access the Operations Console.

All of these passwords can be reset, but there are different procedures for each. If you have lost all of the passwords, follow the step in this solution to restore them.

After following these steps you should have access to your consoles.

For the RSA SecurID Appliance 3.0, the default install path is /usr/local/RSASecurity/RSAAuthenticationManager/. All of the commands above will be the same.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)