000032318 - RSA Access Manager Admin API application fails with ExpiredPasswordException

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032318
Applies ToRSA Product Set:ClearTrust, Access Manager (AxM)
RSA Version/Condition: 6.2
IssueCustom RSA Access Manager Admin API application fails with the following exception:
Caused by: sirrus.api.client.ExpiredPasswordException: Expired password (RC_EXPIRED_PASSWORD): Expired Password: NormalExpiration
The RSA Access Manager eserver.log (or lserver.log for the eserver) logs the following event:
sequence_number=235,2016-01-03 13:45:55:221 PST,conn=46,op=2,eventID=bd12406815e114434343369320279,messageID=101,ip=,uname=<anonymous>,msg=Login,msgtype=READ,result=19,etime=3ms,role=Default Administrative Role,group=Default Administrative Group,user=administrator
CauseThis error message indicates that the password on the RSA Administrative user account used by the Admin API has expired.
ResolutionReset the password on the RSA Access Manger administrative user account identified in the eserver.log message.   It is also recommended to extent the password lifetime of the administrative user account so that the error does not occur again. 
How you set the password lifetime depends on the type of datastore you are using for your users and how you have your password policies set.
If you are using the default RSA Access Manager user store (for example SunOne datastore or Oracle SQL), then your password policy is determined by RSA Access Manager and is configured in the Entitlements Manger under Administration, Password Policies.   The policy that is in effect is the one associated with the “Default Administrative Group”.   You can also set an explicit password expiration date that overrides the policy and for this user I would recommend that you do so.  That is done under “Manage users” by editing the “password expires”  date for this user specifically.
If you are not using RSA Access Manger for user and user password management, for example if your users are in an external Active Directory AD datastore, then the password expiration is managed by the underlying native user store itself.  For that you should consult your systems administrator to determine how to change the users password expiration date.  For Microsoft AD this is done in the MMC console.