000032136 - RSA Authentication Manager 8.1 SP1 Admin API Gets Server Contact List but all servers show as isRunning="false" and isPrimary="false"

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032136
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 SP1 Admin API SDK
Platform: VMware
O/S Version: SUSE Linux 11
Issue

Admin API (AMPrime or SDK) does a Get Server Contact List but all servers are returned showing isRunning="false" and isPrimary="false" even after auto-rebalance. Replica Status Good.


2015-12-01T16:06:17,792-0600,com.rsa.ucm.am8,22,DEBUG,ContactList = <?xml version="1.0" encoding="UTF-8" standalone="no"?> 
<contactList Count="6">
<Item isPrimary="false" isRunning="false">
<guid>ims.fe738dcd0121570a1b4beeaee84a06a9</guid>
<name>am81-4439.ms.ds.acme.local</name>
<ip>192.168.1.113</ip>
</Item>
<Item isPrimary="false" isRunning="false">
<guid>ims.42cccbe40121570a1b68d31db8fd635a</guid>
<name>am81-4071.ms.ds.acme.local</name>
<ip>10.87.33.3</ip>
</Item>
<Item isPrimary="false" isRunning="false">
<guid>ims.700cd5c70121570a1acd28a53b93ad14</guid>
<name>am81-4070.ms.ds.acme.local</name>
<ip>10.87.33.2</ip>
</Item>
<Item isPrimary="false" isRunning="false">
<guid>ims.53b425620121570a1ae76870f9522999</guid>
<name>am81-4069.ms.ds.acme.local</name>
<ip>10.87.33.1</ip>
</Item>
<Item isPrimary="false" isRunning="false">
<guid>ims.fd4f88db0121570a1bae394354720281</guid>
<name>am81-4438.ms.ds.acme.local</name>
<ip>192.168.1.112</ip>
</Item>
<Item isPrimary="false" isRunning="false">
<guid>ims.7380fe3f0121570a1b6602ca28c0cae2</guid>
<name>am81-4440.ms.ds.acme.local</name>
<ip>192.168.1.115</ip>
</Item>
</contactList>
ResolutionThe Admin API SDK to Authentication Manager 8.1, and all variations on it such as AM Prime requires an AM 8.1 local database account with Super Admin role to access the database.  
While you might see some information with a non-Super Admin Account, there is also data such as the Server contact list that is without a specific access attribute and which is therefore limited to the “super admin”.
Only a few data fields in AM have a specific access-control attribute (i.e., Token PIN, etc.).  
Likely the interface has a “secure by default” policy for this data, because Deployment/topology data is generally only accessible to super admins. (i.e. a help-desk admin cannot add a new replica server)

Attachments

    Outcomes