000038054 - QR code not displaying in the RSA Authentication Manager Prime Self-Service Portal (SSP)

Document created by RSA Customer Support Employee on Oct 15, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038054
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Prime
RSA Version/Condition: 8.4
Platform: Java Runtime Environment 1.8.x
IssueAfter an upgrade to RSA Authentication Manager 8.4 patch 6 and upgrading the Java version on the Authentication Manager Integration Service (AMIS) server from JRE 1.7.0 to JRE 1.8.0_221, the Self-Service Portal (SSP) failed to generate the QR code for the token request/replacement.

The QR code image keeps spinning without generating the QR code.

QR code is not generated and the SSP keeps spinning.
Cause

The CTF conversion utility uses the Java random function which results in a massive delay in minutes.  Oracle has noted this performance issue regarding using the random function to generate cryptographically strong random number generator (RNG), and the resolution is below in the resolution section.


As per the logs:



  • The header request API call sent from the AMIS server to the Authentication Manager server is not correct. It is stating that the distribution type of the token is CTF, however it should be CTKIP.
  • Below is the API call generated from the SSP request, found in the ssp_daily.log file, with theissuehoghlighted in red:

2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,start :: replaceNextToken
2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL : http://localhost:8181/am8/token/replace/{tokenserial}/{newtokenserial}?newPinMode={booleanFlag}
2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL Parameters : {tokenserial=000156522108, tokenType=software, booleanFlag=false}
2019-10-10T06:29:22,244-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,service result <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<serviceResult result="true">
<TokenSerialNumber>000156522080</TokenSerialNumber>
</serviceResult>

2019-10-10T06:29:22,245-0700,com.rsa.pso.selfservice.web.SSPHomeActionBean,?,INFO ,000156522108 got replaced with 000156522080
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,start :: updateToken
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,Header value 22818430
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL : http://localhost:8181/am8/token/update/
2019-10-10T06:29:22,258-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,Token Entry :<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tokenEntry>
<algorithm>time</algorithm>
<deviceType>ims.000000000000000000002001f0050028</deviceType>
<distribution CTF="false">
<QR background="16777215" foreground="0" size="220"/>
<STDID copyProtected="false" distributionType="ctf" passwordProtect="NoPassword" regenerateTokenCode="false">
<CTFExpirationMinutes>15</CTFExpirationMinutes>
</STDID>
</distribution>
<enabled>true</enabled>
<interval>60</interval>
<pin requirePintAtNextLogin="false"/>
<properties clearValues="false">
<property name="DeviceSerialNumber" value=""/>
</properties>
<tokenCodeLength>8</tokenCodeLength>
</tokenEntry>


  • As per the Prime AMIS Developer's Guide, the request for CTKIP should look like the snippet shown below. The header below does not contain the distribution type CTF which is the error in the above request.

<tokenEntry>
<enabled>true</enabled>
<distribution>
<QR size="200" />
<CTKIP deviceFamilyName="iPhone" />
</distribution>
<deviceType>ims.000000000000000000002001f0050022</deviceType>
<algorithm>time</algorithm>
<tokenCodeLength>8</tokenCodeLength>
<interval>60</interval>
<properties clearValues="false">
<property name="DeviceSerialNumber" value="556f1985-33dd-442c-9155-3a0e994f21b1" />
</properties>
<pin requirePintAtNextLogin="false" action="nothing" pinType="passcode" />
</tokenEntry>
ResolutionBelow are the steps to resolve the issue by editing the java.security file:
  1. Navigate to JRE_HOME/lib/security/.
  2. Edit the java,security file using a text editor:


vi java.security


  1. Search for securerandom.source.  Search in vi by pressing Escape button and typing a forward slash then the text string:


/securerandom.source


  1. Change the line from securerandom.source=file:/dev/random to:


securerandom.source=file:/dev/./urandom


  1. Stop and start all Tomcat services for AMIS and SSP.

Attachments

    Outcomes