000023667 - Authentication Manager 7.1 startup fails

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023667
Applies ToAuthentication Manager 7.1
Microsoft Windows 2003
Redhat Linux Advanced Server 4.0, 5.5
IssueHow to reset, re-do redo the system fingerprint finger print finger-print
Authentication Manager startup fails - Services will not start
imstrace.log shows "com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt"
com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt.
 at com.rsa.ims.security.keymanager.sys.PropertiesLoader.a(PropertiesLoader.java:72)
 at com.rsa.ims.security.keymanager.sys.PropertiesLoader.loadFields(PropertiesLoader.java:201)

Could not get JDBC Connection
CauseDuring the installation of Authentication Manager 7.0 a series of keys and passwords are created, these are secured in a file which itself is encrypted.  The system is able to decrypt the contents of this file because the encrypt/decrypt key is derived from certain "fingerprint" elements from the hardware.  If a number of hardware components are modified then this fingerprint changes and the file cannot be decrypted and most of the Authentication Manager processes will fail to start.
Resolution

RSA Authentication Manager is designed to allow for hardware alterations and this simply requires the administrator to reset the encrypted file store.


 


Restore the system fingerprint by stopping the RSA Authentication Manager Server (rsaam stop) then running rsautil manage-secrets -a recover command from the utils directory.  For example:


 


Linux:


        # ./rsautil manage-secrets -a recover


        Enter Master Password:********


        Machine fingerprint restored successfully.


        #


 


Appliance:


        SSH with emcsrv user


        password: <OS Password>


        sudo su -


        password: <OS Password>


 


        su rsaadmin                            <no password needed> 

 


        # ./rsautil manage-secrets -a recover


        Enter Master Password:********


        Machine fingerprint restored successfully.


        #


 


Windows:


        C:\Program Files\RSA Security\RSA Authentication Manager\utils> rsautil manage-secrets -a recover


        Enter Master Password:********


        Machine fingerprint restored successfully.


        C:\Program Files\RSA Security\RSA Authentication Manager\radiusoc\utils> rsautil manage-secrets -a recover


 


You should then be able to start the services although a complete server restart is most appropriate to ensure a smooth startup of all services. 


 

Legacy Article IDa36043

Attachments

    Outcomes