000011610 - System was modified beyond the allowed threshold  cannot decrypt. - Database Server FAILED to start up

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011610
Applies ToRSA Authentication Manager 7.1
Microsoft Windows 2003
Redhat Linux Advanced Server 4.0
rsautil manage-secrets -a recover

       


VMWare ESX 3.5
Redhat Kernel Version has changed
 
IssueAuthentication Manager startup fails

Error: Failed to load encrypted data.
Caused by: com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt.


 

Error: System was modified beyond the allowed threshold, cannot decrypt.


changed motherboard authentication manager won't start
changed hardware authentication manager won't start
Changed or upgraded virtual hardware on a virtual machine
rsautil manage-secrets -a recover
Windows event viewer error
Event Type: Information
Event Source: RSAAM_DB_INSTANCE
Event Category: jvm1
Event ID: 100
Date:  12/9/2010
Time:  2:20:12 PM
User:  N/A
Computer: xxxxx
Description:
Error in WrapperListener.start callback.  com.rsa.common.UnexpectedDataStoreException: com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt.

Error in WrapperListener.start callback.  com.rsa.common.UnexpectedDataStoreException: com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt.
RSA Authentication Manager Database Server:                [FAILED]
 
Cause

During the installation of Authentication Manager 7.1 a series of keys and passwords are created, these are secured in a file which itself is encrypted.  The system is able to decrypt the contents of this file because the encrypt/decrypt key is derived from certain "fingerprint" elements from the hardware.  If a number of hardware components are modified then this fingerprint changes and the file cannot be decrypted and most of the Authentication Manager processes will fail to start.The fingerprint is made from obtaining values from 7 system components, this error will occur when more than 2 were changed at the same time.
 


RSA Authentication Manager is designed to allow for hardware alterations; if only two changes occur then the system will accept the remaining five as valid and re-encrypt using the new seven values, if more than two alterations are going to occur then the administrator must intervene to manually restore the encrypted file store after the hardware changes


Changed or added a disk or NIC, other hardware, virtual machine config, moved to different hardware
 
Resolution

 


Go to (RSA_AM_HOME)/utils and edit rsaenv.cmd . Look for a line that says:


set clu_user=   (username)  ,  you MUST be logged onto the system as that username.  Do NOT change this line to another username.


 


Stop all of the RSA Authentication Manager Server (on Linux or UNIX you can run the <RSA_AM_HOME>/server/rsaam stop all script)


Run rsautil manage-secrets -a recover command. The recover command must be run from
RSA_HOME\Utils
and
RSA_HOME\RadiusOC\utils
 


 


Linux or Solaris:


   #. ./rsaenv      (This sets environment variables. Note: this starts with dot-space-dot-slash )


        # ./rsautil manage-secrets  -a  recover


        Enter Master Password:********


        Machine fingerprint restored successfully.


        #


 


Windows:


        C:\Program Files\RSA Security\RSA Authentication Manager\utils> rsautil manage-secrets  -a  recover


        Enter Master Password:********


        Machine fingerprint restored successfully.


 


 


IMPORTANT NOTE: Linux or Windows: If you use Radius, you will also need to navigate to the /radiusoc/utils directory and execute the same command 
 ./rsautil manage-secrets -a recover     (don't use the ./ dot-slash on windows) 


so the radius component can reset it's fingerprint.


 


The encrypted file store is decrypted using the master password instead of the system key as it had not been encrypted with this new value and then re-encrypted with the new system key value.


 


The server will then start correctly although RSA Customer Support recommends a complete server restart is most appropriate to ensure a smooth startup of all services. 


After the system has restarted you should test


 access to the RSA Operations Console (connect to https://<serverFQDN>:7072/operations-console ).  If this fails remove the ocusermanager.properties file from utils/etc and run rsautil manage-oc-administrators -a reload.
Workaround

The underlying operating system (RHEL4) was updated from update 6 to update 7.


 

A single CPU was changed to an SMP kernel, or the reverse


The number of CPUs was changed
 
Legacy Article IDa42108

Attachments

    Outcomes