000033058 - Unable to check Database. java.lang.SecurityException: PBOX000016: Access denied: authentication failed

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033058
Applies ToRSA Product Set: RSA Via Lifecycle and Governance, Identity Management and Governance
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0
IssueThe error (Unable to check Database. java.lang.SecurityException: PBOX000016: Access denied: authentication failed) is displayed both on the screen when attempting to access the Web Administration page for RSA Via Lifecycle and Governance and in the /home/oracle/wildfly/standalone/log/server.log.
In the UI, the error shows as:
User-added image
Below is a snippet from the /home/oracle/wildfly/standalone/log/server.log:
2016-05-05 10:04:41,660 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] 
(MSC service thread 1-2) Exception during createSubject()PBOX000016: Access denied: authentication failed:
java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1184)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1179)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1178)
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:637)
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:283)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:310)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:124)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_79]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_79]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]

CauseThis error is caused when one or more passwords are either corrupt or incorrect in the following configuration file:

WorkaroundThe steps below show how to check current passwords that are encrypted within the Aveksa_System.cfg against what is within the aveksa-standalone-full.xml:
  1. Login or change user to oracle.
cd deploy
./generateLoginKey <username>

  1. Check the return value against the password stored in aveksa-standalone-full.xml.Here is an example of the process:
        User-added image

  1. If an entry that was from the generateLoginKey does not match the output of the grep command, edit the aveksa-standalone-full.xml for the given username/password pair and update the value to match.  Here is a grep of the username/password value pairs from the aveksa-standalone-full.xml.
       User-added image
NotesIf the passwords match and the error still displays, the issue may be that the encrypted password is inaccurate within the Aveksa_System.cfg.
Steps for changing or updating the password are documented in the RSA Via Lifecycle and Governance Installation Guide V7.0.  Here is a snippet.
Use sqlplus to verify the username / password combination.  Edit the /home/oracle/Aveksa_System.cfg and replace the encrypted password with a clear-text password.
Running generateLoginKey will replace the clear-text password with its encrypted equivalent and echo the password that would be used in the aveksa-standalone-full.xml.