000038625 - Unable to make a successful Web Service API createChangeRequest call from a Workflow in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Mar 25, 2020Last modified by RSA Customer Support Employee on May 26, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000038625
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1, 7.2.0
IssueThe Web Service API createChangeRequest command fails when called from an RSA Identity Governance & Lifecycle workflow.   

The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) shows the following INFO level log message:

02/08/2020 10:55:54.351 INFO  (Worker_actionq#Normal#jdbc/avdb_1) [com.aveksa.server.workflow.webservices.rest.client.RestClient]
REST Request Completed with status code: 401 and Message: Unauthorized

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
CauseThis issue occurs when the security on the createChangeRequest Web Service command is set to Request Forms and Workflows (no token). In the user interface go to Admin > Web Services > Request tab > Configure button for createChangeRequest.
User-added image

Admin Web Services API calls typically require an authentication token to allow access to the API commands. The Web Service loginUser command (Admin > Web Services > Admin tab) accepts an RSA Identity Governance & Lifecycle username and password value for a particular user and then creates a user session token that impersonates that user. Subsequent Admin Web Service API calls then use the user session token and are identified as the user that was authenticated. 

The createChangeRequest (Admin > Web Services > Request tab) API command is an example of an Admin Web Services API call that requires an authenticated user in order to complete the call. When a createChangeRequest call is made, the change request is generated as the user session token user. When the createChangeRequest call is made from a workflow, it needs to be configured so that a user session token is not required. As a result, when the createChangeRequest  is called from a workflow, the createChangeRequest call fails because there is no user associated with the command.

This is a known issue reported in engineering ticket ACM-103573.
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
  • RSA Identity Governance & Lifecycle 7.1.1 P07
  • RSA Identity Governance & Lifecycle 7.2.0 P01
The fix will be to allow the createChangeRequest calls to be made without presenting a user session token. The requests will be generated under a user called System.
WorkaroundThe only workaround to this issue is to pass a user session token with the request. which is not practical for use within a workflow.
NotesOther Admin API Web Services requests that require a user reference may also fail including but not limited to. 

cancelChangeActivity, updateReviewItems, cancelChangeActivity, etc...