000038118 - Extension token configuration does not exist in the configuration service on RSA Authentication Manager 8.2 and up while attempting to extend SecurID token lifetime.

Document created by RSA Customer Support Employee on Jan 10, 2020Last modified by RSA Customer Support Employee on Jan 10, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000038118
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.3, 8.4 
Issue
  • Software tokens are distributed on RSA Authentication Manager 8.2 and up.
  • Tokens meet the other conditions for being extended; such as, tokens are not already be in the process of being replaced or extended.
  • Search results display Yes in the Extendable column for software tokens that are eligible for extension.
  • The token record file that contains extension token records was imported. 
  • An attempt to Extend SecurID Token Lifetime using methods outlined at Extend Software Token Lifetimes Errors "The extension token configuration does not exist in the configuration service"
      User-added image

The error shown here is in the primary instance's /opt/rsa/am/server/logs/imsConsoleTrace.log with verbose logging enabled:

@@@2019-11-07 23:42:28,936, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (EJBRemoteTargetBase.java:178),
trace.com.rsa.command.EJBRemoteTargetBase, ERROR, SOMP-RSA01.colehaan.net,,,,Exception during command execution.
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: AM_EXTEND_TOKEN_LIFETIME_NOT_DEFINED
Caused by: com.rsa.common.SystemException: AM_EXTEND_TOKEN_LIFETIME_NOT_DEFINED
at com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl.a(TokenAdministrationImpl.java:1771)
at com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl.a(TokenAdministrationImpl.java:1550)
at com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl.lookupExtensionTokenLifeConfigValue(TokenAdministrationImpl.java:933)
at com.rsa.authmgr.admin.tokenmgt.LookupExtensionTokenConfigCommand$Executive.execute(LookupExtensionTokenConfigCommand.java:7)
at com.rsa.authmgr.admin.tokenmgt.LookupExtensionTokenConfigCommand.performExecute(LookupExtensionTokenConfigCommand.java:128)


 
CauseThe AM_EXTEND_TOKEN_LIFETIME parameter has no defined value. 
Resolution
  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1. Change to /opt/rsa/am/utils:


login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Tue Nov 06 12:46:44 2018 from xxxxxxxxxxxxx
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@SOMP-RSA01:~> cd /opt/rsa/am/utils


  1. Type the command ./rsautil store -a update_config auth_manager.extend_token_life.token_days_remaining_for_expiration <number> GLOBAL 503, where number is the number of days before expiration.  For example, we can set the days to 60, as shown below.


rsaadmin@SOMP-RSA01:/opt/rsa/am/utils> ./rsautil store -a update_config auth_manager.extend_token_life.token_days_remaining_for_expiration 60 GLOBAL 503
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/fa85b98e-58c6-4df5-a9fb-fa1a60cb1e681066583051878639531.sql:167: NOTICE:   Changed the value of configuration parameter
'auth_manager.extend_token_life.token_days_remaining_for_expiration' from 'number' to '60' for the instance 'GLOBAL'.
update_config
---------------

(1 row)


  1. Restart all RSA Authentication Manager services on the primary:


rsaadmin@SOMP-RSA01:/opt/rsa/am/utils> cd /opt/rsa/am/server
rsaadmin@SOMP-RSA01:/opt/rsa/am/server> ./rsaserv restart all


  1. Log on to each replica instance and restart services.


rsaadmin@SOMP-RSA02:/opt/rsa/am/utils> cd /opt/rsa/am/server
rsaadmin@SOMP-RSA02:/opt/rsa/am/server> ./rsaserv restart all

Attachments

    Outcomes