000038115 - Unable to login to Self-Service Console after moving web tier to Internet in RSA Authentication Manager 8.4 patch 6

Document created by RSA Customer Support Employee on Nov 11, 2019Last modified by RSA Customer Support Employee on Oct 29, 2020
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000038115
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4.0
IssueOne or more of the following errors occur:
  • When the user logs in to Self-Service Console, it displays the following error:

Sorry, your request cannot be processed at this time. It either has been processed or is bad request. Return to home and try again.


  • The [wt_home]/server/logs/imsConsoleTrace.log on the web tier shows the following error: 


com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR Caused by: com.rsa.common.SystemException: 
Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.


  • The /opt/rsa/am/server/logs/imsTrace.log shows an unknown IP address: 


trace.com.rsa.ims.sso.service.SSOServiceImpl, FATAL, <FQDN of Auth Manager server>,,,,Access denied. 
The authentication request was routed through a load balancer <IP address> (This IP is not used to define the virtual host in Operations Console).


  • The /opt/rsa/am/server/logs/imsTrace.log shows the following error:  


2019-10-14 16:35:04,156, [[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'], (SSOServiceImpl.java:285), 
trace.com.rsa.ims.sso.service.SSOServiceImpl, FATAL, <FQDN of Auth Manager server>,,,,Access denied. The authentication request was routed 
through a load balancer <IP address> that is not recognized by the system.


  • The opt/rsa/am/server/logs/AdminServer_access.log on Web Tier has the following lines showing the incorrect IP address:


#Start-Date: 2019-10-14 16:34:56
<IP address> 2019-10-14 16:34:56 0.313 GET / 302 285
<IP address> 2019-10-14 16:34:56 0.187 GET /console-selfservice/ 302 313
<IP address>  2019-10-14 16:34:57 0.844 GET /console-selfservice/SelfService.do 200 13280
<IP address> 2019-10-14 16:34:58 0.031 GET /console-selfservice/images/default/caret_gray.gif 200 56
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_help.gif 200 1648
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_help_caret.gif 200 49
<IP address> 2019-10-14 16:34:58 0.016 GET /console-selfservice/images/default/spacer.gif 200 43
<IP address> 2019-10-14 16:34:58 0.094 GET /console-selfservice/framework/rsa/css/framework-ext.css 200 20506
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_wait.gif 200 771
<IP address> 2019-10-14 16:34:58 0.203 GET /console-selfservice/framework/js/extjs/4.0.2a/resources/css/ext-all-gray.css 500 5931
<IP address> 2019-10-14 16:34:58 0.407 GET /console-selfservice/framework/js/extjs/4.0.2a/ext-all.js 500 5931
<IP address> 2019-10-14 16:34:58 0.141 GET /console-selfservice/images/default/selfservice_logo.gif 200 16268
<IP address> 2019-10-14 16:34:58 0.093 GET /console-selfservice/common/components/smartmenu/c_smartmenus.js 200
CauseThe authentication requests are coming from an IP address which is not defined in the load balancer details in the RSA Authentication Manager Operations Console.
ResolutionTo resolve this issue,
  1. Login to the primary's RSA Authentication Manager Operations Console.
  2. Go to Deployment Configuration > Virtual Host & Load Balancing.
  3. Add the appropriate IP address in Load Balancer Details box and press Add when done.
  4. Press Save to exit.
Workaround Bypassing the loadbalancer IP check:
 
  1. SSH to v8.0 appliance as rsaadmin.
  2. Obtain Database Administrator User ID (rsa_dba) password.

    NOTE: the OC Administrator username and returned rsa_dba password shown below are example values only.
    rsaadmin@am8-p:~> cd /opt/rsa/am/utils
    rsaadmin@am8-p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
    Please enter OC Administrator username: ocadmin
    Please enter OC Administrator password: ********
    com.rsa.db.dba.password: FO3hibQ7dCYPQpeXjHsP7xxwhSpJEK



     

  3. Connect to the Authentication Manager 8.x database.

    rsaadmin@am8-p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba



     

  4. You will be prompted for the com.rsa.db.dba.password obtained previously.  SQL queries can then be run from the command line then bypass the loadbalance IP issue:

    rsaadmin@am8p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
    Password for user rsa_dba:
    psql.bin (9.1.9)
    SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
    Type "help" for help.

    db=#UPDATE RSA_REP.ims_config_value SET value='true' WHERE name='ims.sso.service.bypass_loadbalancer_config_check';

  5. Finally, restart AM services:

    rsaadmin@amp:/opt/rsa/am/server> ./rsaserv restart all

  6. Check if Webtiers require reinstallation and the issue will be resolved afterwards.
NotesThere can be up to 30 logs stored for the imsTrace.log, imsConsoleTrace.log and Admin_Server_access files. Additional files will have a number value appended to the file name (file name.log.1, file name.log.2, so on).

Attachments

    Outcomes