000037090 - Adding an additional Operations Console administrator fails with the error message Encrypted data could not be updated in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jan 29, 2019Last modified by RSA Customer Support Employee on Jan 29, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000037090
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueAn Operations Console administrator is a user with permissions to perform administrative tasks in the Operations Console and to run some command line utilities. An attempt to create a new Operations Console administrator in the Security Console throws the following error:
 
Encrypted data could not be updated
 


User-added image
CauseCreating an Operations Console administrator fails because the limit for  the maximum number of Operations Console administrator accounts has been reached. The /opt/rsa/am/server/logs/imsTrace.log with trace log level set to Verbose captures the underlying error.

2019-01-10 02:33:23,209, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SystemfieldsUserAdministrationImpl.java:80), trace.com.rsa.ims.ocadmin.management.impl.SystemfieldsUserAdministrationImpl, ERROR, am82p.vcloud.local,,,,Failed to create systemfields user com.rsa.common.InvalidArgumentException: Failed to encrypt field com.rsa.pwd.auth.users
  at com.rsa.ims.ocadmin.management.util.SystemfieldsWrapper.setTextField(SystemfieldsWrapper.java:106)
  at com.rsa.ims.ocadmin.management.impl.AbstractSystemfieldsUsersAdministration.create(AbstractSystemfieldsUsersAdministration.java:68)      
  at com.rsa.ims.ocadmin.management.impl.SystemfieldsUserAdministrationImpl.create(SystemfieldsUserAdministrationImpl.java:73)
  at com.rsa.ims.ocadmin.management.CreateOcAdminCommandExecutive.performExecute(CreateOcAdminCommandExecutive.java:51)
  at com.rsa.ims.ocadmin.management.CreateOcAdminCommandExecutive.performExecute(CreateOcAdminCommandExecutive.java: 
  at com.rsa.command.TargetableCommand.performExecute(TargetableCommand.java:470)   
  at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119)
  at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1)  
  at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268)  
  at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1)
  at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
  at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260)   
  at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)
  at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1)  
  at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113)
  at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)
  at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445)  
  at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373)
  at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89)
  at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)
  at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:34)
  at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source)
  at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:701)
  at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:231)
  at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:527)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)  
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)   
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:523)   
  at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)   
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)  
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)

ResolutionA maximum of 42 Operations Console administrators can be created in the Security Console.
WorkaroundLike the super admin role, an Operations Console administrator account should only be granted to the most trusted administrators.

Operations Console administrators provide predefined roles and have the permissions required to perform most of the tasks offered by the Operations Console.  

As a workaround,
  1. From the Security Console navigate to Administration > Manage OC Administrators
  2. Review those users who are listed as Operations Console administrators, checking for admins who no longer administer the deployment.
  3. Click Delete to remove the administrator then confirm by clicking OK.
  4. Once admins have been removed, new Operations Console admins can be added.
NotesRefer to documentation on how to Add an Operations Console Administrator.

To set logging to Verbose,
  1. Logon to the Security Console and navigate to Setup > System Settings
  2. Under Basic Settings, select Logging
  3. Select the server on which to enable logging and click Next.  Note that if you choose the primary, there is an option on the next page to apply settings to all replicas.  
  4. Set the Trace Log value to Verbose
  5. Click Save.
 

Important: Do not set the trace logging level to verbose for extended periods of time unless instructed to do so by RSA Customer Support. Trace logs may occupy large amounts of disk space and this can impact system performance.

Attachments

    Outcomes