000029880 - Cannot delete an empty security domain on RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029880
Applies To

RSA Product Set: SecurID

RSA Product/ Service Type: Authentication Manager

RSA Version/Condition: 8.1

IssueAfter removing all objects under that Security Domain from the Security console and making sure it is empty, deleting the Security Domain still fails with the below error:
 
"Cannot delete a security domain that includes objects. 
Before you delete a security domain, you must move or delete all associated objects, such as
users, groups, and administrative roles."


User-added image
 
TasksThe two attached SQL files can:
  1. List all the objects that are still bound to this Security Domain in the database.
  2. Move them all to another Security Domain.
Resolution
  1. Copy the attached SQL files to the /tmp directory of the Primary Server using any tool (i.e. WinSCP, FileZilla Client ... etc).
  2. SSH to the Primary server and run the following commands to obtain the database admin username password:

cd /opt/rsa/am/utils
./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: ocadmin
Please enter OC Administrator password: ********
com.rsa.db.dba.password: XXXXXXXXXXXXXXXXXXXXXX


Save the above password for use in the next steps.

 

To list all the objects in the database under the security domain:


Use the below commands:

cd /opt/rsa/am/pgsql/bin


./psql.bin -h localhost -p 7050 -d db -v security_domain="'<SECURITY_DOMAIN_NAME>'"
-U rsa_dba -f /tmp/select_security_domains.sql


  • The second command should be typed in one line (without including a new line).
  • Replace <SECURITY_DOMAIN_NAME> with the exact name of the Security Domain to be deleted.
  • You will be prompted for the database admin username password obtained previously.

To move all objects from this security domain to any other domain (i.e.: SystemDomain):


Use the below commands:

cd /opt/rsa/am/pgsql/bin


./psql.bin -h localhost -p 7050 -d db -v move_from="'<SECURITY_DOMAIN_TO_BE_DELETED>'"
-v move_to="'<ANOTHER_SECURITY_DOMAIN>'" -U rsa_dba -f /tmp/update_security_domains.sql


  • The second command should be typed in one line (without including a new line).
  • Replace <SECURITY_DOMAIN_TO_BE_DELETED> with the exact name of the Security Domain to be deleted, and <ANOTHER_SECURITY_DOMAIN> with the exact name of the Security Domain you would like to move the items to.
  • You will be prompted for the database admin username password obtained previously.
Now you can log in back to the Security Console and delete the unwanted Security Domain.
NotesIn previous versions of Authentication Manager (6.1 and 7.1), deleted objects may not have been completely removed from the database leaving unwanted traces. These traces are migrated to Authentication Manager 8.1 and would prevent deletion of their corresponding Security Domains. It is safe to move such data to another Security Domain using the attached update script.

Outcomes