000013474 - Cannot attach Authentication Manager 8.1 replica server following migration from 7.1; user name specified does not have a password assigned

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013474
Applies ToRSA Product Set: SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition: 8.1
Errors can be seen in the following logs:
  • From the /opt/rsa/am/install_logs/config/config.sh_Appliance_configureReplica_<datestamp>.log:
16 2014-07-18 15:36:06,771 INFO: One of the dependencies dirs doesn't exist: ../common-platform/thirdparty
20 2014-07-18 15:36:06,775 INFO: Arguments: [Appliance.configureReplica]
1259 2014-07-18 15:36:08,014 INFO: Script source dir: /opt/rsa/am/config/src/scripts
1259 2014-07-18 15:36:08,014 INFO: Patch Script source dir: null
1433 2014-07-18 15:36:08,188 INFO: Reading configuration from Config.groovy
2428 2014-07-18 15:36:09,183 INFO: Running task Appliance.configureReplica
6641 2014-07-18 15:36:13,396 INFO: Executing free
7099 2014-07-18 15:36:13,854 INFO: Total Memory: 4057304 KB
7112 2014-07-18 15:36:13,867 INFO: Using memory category 4GB
7121 2014-07-18 15:36:13,876 INFO:
########### ATTENTION ###########
# Enter your user password to #
# continue. #
# Your user account must be in #
# the /etc/sudoers file first. #
# #
########### ATTENTION ###########
7549 2014-07-18 15:36:14,304 INFO: Executing /opt/rsa/am/server/rsaserv stop admin on command line
12574 2014-07-18 15:36:19,329 INFO: Return code: 0:
12574 2014-07-18 15:36:19,329 INFO: Output: Stopping RSA Console Server:
RSA Console Server [SHUTDOWN]
Stopping RSA Runtime Server:
RSA Runtime Server [SHUTDOWN]
Stopping RSA RADIUS Server Operations Console:
RSA RADIUS Server Operations Console [SHUTDOWN]
Stopping RSA Administration Server with Operations Console:
RSA Administration Server with Operations Console [SHUTDOWN]
12574 2014-07-18 15:36:19,329 INFO: Applying secrets from the primary
12584 2014-07-18 15:36:19,339 INFO: Extracting systemtools
[untar] Expanding: /opt/rsa/am/components/compile/com.rsa.ims/clu-tar/ into /opt/rsa/am
14229 2014-07-18 15:36:20,984 INFO: Executing find
15464 2014-07-18 15:36:22,219 INFO: Executing find
[unzip] Expanding: /opt/rsa/am/replication/attachment_data_from_primary/replica_secrets.zip into
[copy] Copying 1 file to /opt/rsa/am/utils/etc

  • From the /opt/rsa/am/install_logs/config/config.sh_Appliance_configureReplica_<datestamp>.log 
Exception in thread "Main Thread" com.rsa.ims.security.keymanager.sys.SystemFingerprintException: The user name specified does not 
have a password assigned to it

     at com.rsa.ims.security.lockbox.crypto.d.d(d.java:162)
     at com.rsa.ims.security.lockbox.crypto.d.b(d.java:43)
     at com.rsa.ims.security.lockbox.b.recoverSystemKey(b.java:431)
     at com.rsa.ims.security.keymanager.sys.FieldsManager$recoverSystemKey.call(Unknown Source)
     at SetupReplica.importPrimarySystemSecrets(SetupReplica.groovy:203)
     at SetupReplica$importPrimarySystemSecrets.callCurrent(Unknown Source)
     at SetupReplica.applySecrets(SetupReplica.groovy:171)
     at SetupReplica.configureReplica(SetupReplica.groovy:39)
     at SetupReplica$configureReplica.call(Unknown Source)
     at Appliance.configureReplica(Appliance.groovy:22) 
     at com.rsa.plugins.install.GroovyInstallEngine.invokeScript(GroovyInstallEngine.groovy:68)
     at com.rsa.plugins.install.GroovyInstallEngine$_runTask_closure2.doCall(GroovyInstallEngine.groovy:57)
     at com.rsa.plugins.install.GroovyInstallEngine.runTask(GroovyInstallEngine.groovy:60)
     at com.rsa.plugins.install.GroovyInstallEngine$_runTasks_closure3.doCall(GroovyInstallEngine.groovy:106)
     at com.rsa.plugins.install.GroovyInstallEngine.runTasks(GroovyInstallEngine.groovy:105)
     at com.rsa.plugins.install.GroovyInstallEngine$runTasks.call(Unknown Source)
     at com.rsa.plugins.install.CommandLineInstallEngine.main(CommandLineInstallEngine.groovy:40)
Configuration step Appliance:configureReplica [FAILED]

  • From /opt/rsa.am/server/logs/imsTrace.log:
@@@2013-07-17 21:16:22,045, [AddReplica], (AttachReplicaThread.java:137), trace.com.rsa.amappliance.web.quicksetup.replicaattach.
AttachReplicaThread, ERROR <hostname>,,,,Failed to attach. Primary host:<hostname>, exception:
com.rsa.amappliance.web.quicksetup.util.SetupException: Execution of config goal Appliance:configureReplica failed with exit code 1

     at com.rsa.amappliance.web.quicksetup.util.SetupUtility.executeConfigGoal(SetupUtility.java:131)
     at com.rsa.amappliance.web.quicksetup.replicaattach.AttachReplicaUtility.executeConfigGoal(AttachReplicaUtility.java:150)
     at com.rsa.amappliance.web.quicksetup.replicaattach.AttachReplicaThread.configureReplica(AttachReplicaThread.java:189)
     at com.rsa.amappliance.web.quicksetup.replicaattach.AttachReplicaThread.startConfigureReplica(AttachReplicaThread.java:167)
     at com.rsa.amappliance.web.quicksetup.replicaattach.AttachReplicaThread.attachReplica(AttachReplicaThread.java:104)
     at com.rsa.amappliance.web.quicksetup.replicaattach.AttachReplicaThread.run(AttachReplicaThread.java:91)
     at java.lang.Thread.run(Thread.java:662)

  • From the /opt/rsa/am/server/logs/rsa-console.log:
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
@@@2013-07-17 21:16:22,035 ERROR [AddReplica] GUILog.traceThrowable(637) | error:
com.rsa.amappliance.web.quicksetup.util.SetupException: Execution of config goal Appliance:configureReplica failed with exit code 1

at com.rsa.amappliance.web.quicksetup.util.SetupUtility.executeConfigGoal(SetupUtility.java:131)


1.  If using a virtual appliance for the Authentication Manager 8.1 replica, delete the replica's virtual machine from VMware or Hyper-V.  If using a hardware appliance for the replica, factory reset it.

2.  Change the Operations Console admin's password via the Security Console.
     2a.  Login to the primary Authentication Manager 8.1 Security Console.
     2b.  Select Administration > Manage OC Administrators.
     2c.  For the Operations Console user whose password needs to be changed, click Change Password.
     2d.  Create a new password for the user and confirm it.
     2e.  Click Save when done.
3.  Confirm that the old replica server is not listed in the Operations Console and if it is, delete it.
     3a.  Login to the primary Operations Console.
     3b.  Select Deployment Configuration > Instances > Status Report.
     3c.  If the Authentication Manager 7.1 replica is listed, click on the context arrow next to the server name and click Delete.
     3d.  Check the option to delete the replica.
     3e.  Click Delete.  The progress monitor displays the delete process.
     3f.   Click Done when complete.
4.  Reset the system fingerprint on the primary server.
    4a.  Connect to the primary via SSH, vSphere or direct connection.
    4b.  Login as rsaadmin.
 4c.  Navigate to /opt/rsa/am/utils.
    4d.  Run the following command:

rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a recover
Please enter OC Administrator username: <enter the name of an Operations Console administrator>
Please enter OC Administrator password: <enter the password for the Operations Console administrator>
Machine fingerprint restored successfully.

5.  Generate a new replica package file for the new Authentication Manager 8.1 replica.
     5a.  From the primary's Operations Console, select Deployment Configuration > Instances > Generate Replica Package.
     5b.  Click Download to download the replica_package.zip that contains the connection.properties and the primary-ca.cer files.
6.  Using the information in the Authentication Manager 8.1 Setup and Configuration Guide, deploy a new Authentication Manager 8.1 replica.  Ensure that you are using the correct guide for your installation (that is, use the documentation for Authentication Manager 8.1 if you have not yet installed Service Pack 1.  Use the documentation for Authentication Manager 8.1 Service Pack 1 if you have installed the service pack).

NotesOther things to check and/or correct:
  • Forward and reverse name resolution of the primary to the replica and vice versa.  
  • Before attaching the replica to the primary, remove any authentication agent host entry for the replica that displays on the the primary's Security Console that may have come from the migration.
Legacy Article IDa62022