000032631 - Adding a New RADIUS Client to the Authentication Manager Generates an Error in RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032631
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1
Platform : SUSE Enterprise Linux
O/S Version : 11 Service Pack 3
Product Description : SecurID Appliance
IssueAdding a new RADIUS client generates an error "Unexpected error during command com.rsa.authmgr.admin.radius.AddRadiusClientCommand execution".
User-added image
Exception thrown in the /opt/rsa/am/server/logs/imsTrace.log:
2016-02-15 05:42:31,776, [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'], (CommandServerEngine.java:897), trace.com.rsa.command.CommandServerEngine, DEBUG, USEMC-SECRSA001.NA.XOM.COM,,,,Command : class com.rsa.authmgr.admin.radius.AddRadiusClientCommand
      Execution Exception: java.lang.NullPointerException
java.lang.NullPointerException
      at com.rsa.authmgr.internal.admin.radius.impl.RadiusClientAdministrationImpl.createRadiusClient(RadiusClientAdministrationImpl.java:323)
      at com.rsa.authmgr.admin.radius.AddRadiusClientCommand$Executive.execute(AddRadiusClientCommand.java:304)
      at com.rsa.authmgr.admin.radius.AddRadiusClientCommand.performExecute(AddRadiusClientCommand.java:160)
      at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119)
      at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1)
      at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268)
      at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1)
      at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:130)
      at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260)
      at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)
      at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1)
      at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113)
      at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)
      at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445)
      at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373)
      at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89)
      at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)
      at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:32)
      at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source)
      at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source)
      at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:693)
      at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
      at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:518)
      at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
      at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
      at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:514)
      at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

  Taken from the /opt/rsa/am/server/logs/imsTrace,log:
2016-02-15 05:43:36,462, [[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'], 
(RadiusReplicationTimerHandlerImpl.java:274),
trace.com.rsa.authmgr.internal.admin.radius.timer.impl.RadiusReplicationTimerHandlerImpl,
DEBUG, AM81R2.COMPANY.COM,
,
,
,Crafting Critical notification message for :[RadiusReplicationHealthStatus: replicaServerNameam81r2.company.com
,errorDetected: true
,errorStatus: Replica: out-of-date
,decoratedStatus: RadiusReplicationStatus_OUT_OF_DATE]

Error seen when removing a replica instance from the Operations Console that was not attached to the authentication manager deployment:
Error: com.rsa.common.InvalidArgumentException: IP Address is required to perform this operation
CauseThrough investigation it was found that a replica instance name was present in the configuration but was not attached to the primary instance.
ResolutionThe replica instance name needs to be removed from the authentication manager configuration.
Follow these steps to manually remove the replica instance
  1. Perform a backup as data is being changed in the authentication manager database with these steps and this backup will provide a restore point, if needed.
Operations Console > Maintenance > Backup and Restore > Backup Now > [optional] change the Backup Name, enter a Password, set backup location and click Backup

  1. Logon to the SecurID Appliance either with an SSH session or at the local console using the rsaadmin account.
  2. Navigate to the /opt/rsa/am/utils folder as the rsaadmin user.
  3. Retrieve the password for the rsa_dba user using the command
    /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password -u <OC_Admin_Name> -p <OC_Admin_Password>

NOTE: replace <OC_Admin_Name> and <OC_Admin_Password> with the appropriate Operations Console administrative account details for your deployment.

  1. Create a text file in the /opt/rsa/am/utils folder with an appropriate name, for example: replica_id.sql
Copy the SELECT statement below into the text file and save the change
select instance_id from rsa_rep.ims_instance_node where host = ‘<replica_FQDN>’;


  1. Obtain the instance id for the replica fully-qualified hostname (FQDN) with this command:
    /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -A -F , -X -t –f replica_id.sql –o replica_id.txt

    NOTE:Expect something like c6228df7030a13ac08022fbb70b982ea in replica_id.txt.
  2. Create a text file in the /opt/rsa/am/utils folder with an appropriate name, for example: ip_change.sql
Copy the SELECT statement below into the text file and save the change
update rsa_rep.am_host set primary_ip = ‘1.1.1.1’ where server_instance_id=’<instance_id>’;


  1. Update the IP address of the replica instance fully-qualified hostname (FQDN) with the command:
    /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -A -F , -X -t –f ip_change.sql –o ipchangelog.txt

    NOTE: ipchangelog.txt will contain “UPDATE 1
  2. Use the Operations Console to remove the replica instance fully-qualified hostname (FQDN) from the deployment.
Operations Console > Deployment Configuration > Instance > Status Report > left-click Replica Instance Name > enter super admin credentials > check ‘Yes, delete the replica’ > click Delete button.

  1. Once the replica instance fully-qualified hostname (FQDN) has been removed from the authentication manager deployment an administrator can add a RADIUS client using the Security Console > RADIUS > RADIUS Clients > Add New
Should these steps not resolve your issue then please contact RSA Customer Support with your license and RSA product information and open a support case.
 
RSA Customer Support contact information is available at URL http://www.emc.com/support/rsa/contact/index.htm

 

Attachments

    Outcomes