000030800 - How to clean up unresolvable users fails in RSA Authentication Manager 8.1.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000030800
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1
Platform : SUSE Enterprise Linux
O/S Version : 11 Service Pack 3
Product Description : SecurID Appliance
 
IssueClean Up Unresolvable Users fails with an error.
Log file reports a time out:
2015-03-02 05:37:24,881, [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'], (GenericAccessSQL.java:141), trace.com.rsa.ims.admin.dal.sql.GenericAccessSQL, ERROR, loninrsap04.uk.db.com,,,,Error performing action: SystemActionKey[READ_PRINCIPAL]
java.sql.SQLException: The transaction is no longer active - status: 'Rolled back. [Reason=weblogic.transaction.internal.TimedOutException: Transaction timed out after 600 seconds 
BEA1-0E9C366C88FD4262E80E]'. No further JDBC access is allowed within this transaction.
at weblogic.jdbc.wrapper.JTSConnection.checkIfRolledBack(JTSConnection.java:198)
at weblogic.jdbc.wrapper.JTSConnection.checkConnection(JTSConnection.java:210)
at weblogic.jdbc.wrapper.JTSConnection.prepareStatement(JTSConnection.java:546)
at com.rsa.ims.instrumentation.monitor.InstrumentedConnectionProxy.prepareStatement(InstrumentedConnectionProxy.java:197)
at com.rsa.ims.common.database.SavePointConnectionProxy.prepareStatement(SavePointConnectionProxy.java:146)
at com.rsa.ims.admin.dal.sql.PrincipalAccessSQL.lookupDataAttribute(PrincipalAccessSQL.java:2563)
at com.rsa.ims.admin.iscleanup.resolution.SuccessfulResolution.finish(SuccessfulResolution.java:36)
at com.rsa.ims.admin.iscleanup.impl.IdentitySourceCleanupControllerImpl.finishContext(IdentitySourceCleanupControllerImpl.java:254)
at com.rsa.ims.admin.iscleanup.impl.IdentitySourceCleanupControllerImpl.trustedResolvePrincipals(IdentitySourceCleanupControllerImpl.java:233)
at com.rsa.ims.admin.iscleanup.impl.IdentitySourceCleanupControllerImpl.resolvePrincipals(IdentitySourceCleanupControllerImpl.java:160)
at com.rsa.admin.GetUnresolvablePrincipalsCommand$Executive.performExecute(GetUnresolvablePrincipalsCommand.java:388)
at com.rsa.admin.GetUnresolvablePrincipalsCommand.performExecute(GetUnresolvablePrincipalsCommand.java:337)
at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:121)

 
CauseThe parameter com.rsa.admin.GetUnresolvablePrincipalCommand is used internally to get a list of unresolvable principles and this command has timed out while retrieving the list of principles in current environment.
ResolutionTo increase the time out for the parameter com.rsa.admin.GetUnresolvablePrincipalCommand the following steps can be performed by an administrator at the command line.
Steps for usage:
1.Logon to the SecurID Appliance either with an SSH session or at the local console with the rsaadmin account
    
2.Navigate to the /opt/rsa/am/utils folder as the rsaadmin user
    
3.Retrieve the password for the rsa_dba user using the following command:
    
   ./rsautil manage-secrets -a get com.rsa.db.dba.password -u <OC_Admin_Name> -p <OC_Admin_Password>
    
   Remember to replace <OC_Admin_Name> and <OC_Admin_Password> with the appropriate Operations Console administrative account details.
    
   NOTE: the appropriate method would be to create a read-only user for database access.
    
4.Set up the UNIX environment to allow command line access to the authentication manager database
    
   Navigate to the /opt/rsa/am /utils folder
    
   . ./rsaenv
    
   /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
    
   Example:
   
rsaadmin@marge:/opt/rsa/am/utils> . ./rsaenv
rsaadmin@marge:/opt/rsa/am/utils> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba:
psql.bin (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
 
db=#

  
   When prompted enter the password given in point 3)
    
5.At the db=# prompt enter the following SQL statements can be used to check of the Global parameter exists before inserting the parameter into the primary instance..
    
   Check 
   
select * from RSA_REP.IMS_CONFIG_VALUE WHERE name = ‘ims.command.timeout’;

  
   Example:
   
db=# select * from RSA_REP.IMS_CONFIG_VALUE WHERE name = 'ims.command.timeout';
                id                |   instance_id    |        name         |                                value
----------------------------------+------------------+---------------------+----------------------------------------------------------------------
 248ecb9c031d2c0a00780ca2b20d7326 | 0000-Global-0000 | ims.command.timeout | com.rsa.batchjob.DeleteBatchJobCommand,3600
 5c98277231ac640a0124bbbf733e99a0 | 0000-Global-0000 | ims.command.timeout | com.rsa.authmgr.admin.acemigrate61.Migrate61PreMigrationCommand,5000
(2 rows)
 
db=#

  
   Insert 
   
insert into RSA_REP.IMS_CONFIG_VALUE (id, instance_id, name, value) values (‘5c98277231ac640a012bbbf733e99a1’, ‘0000-Global-0000’, ‘ims.command.timeout’, ‘com.rsa.admin.GetUnresolvablePrincipalsCommand,3600’);

    
   Example:
   
db=# insert into RSA_REP.IMS_CONFIG_VALUE (id, instance_id, name, value) values ('5c98277231ac640a012bbbf733e99a1', '0000-Global-0000', 'ims.command.timeout', 'com.rsa.admin.GetUnresolvable>
INSERT 0 1
db=#

  
   Check 
   
select * from RSA_REP.IMS_CONFIG_VALUE WHERE name = ‘ims.command.timeout’;

    
   Example:
   
db=# select * from RSA_REP.IMS_CONFIG_VALUE WHERE name = 'ims.command.timeout';
                id                |   instance_id    |        name         |                                value
----------------------------------+------------------+---------------------+----------------------------------------------------------------------
 248ecb9c031d2c0a00780ca2b20d7326 | 0000-Global-0000 | ims.command.timeout | com.rsa.batchjob.DeleteBatchJobCommand,3600
 5c98277231ac640a0124bbbf733e99a0 | 0000-Global-0000 | ims.command.timeout | com.rsa.authmgr.admin.acemigrate61.Migrate61PreMigrationCommand,5000
 5c98277231ac640a012bbbf733e99a1  | 0000-Global-0000 | ims.command.timeout | com.rsa.admin.GetUnresolvablePrincipalsCommand,3600
(3 rows)
 
db=#

  
   Exiting db=#
    
   Use the ‘\q’ sequence to return to the command line
    
   Example:
   
db=# \q
rsaadmin@am81p:/opt/rsa/am/utils>

  
6.Navigate to the /opt/rsa/am/server folder as the rsaadmin user and stop and start the RSA Authentication Manager 8.1 services for the parameter change to take affect.
    
  
Stop./rsaserv stop all
Start./rsaserv start all

  

NotesContacting RSA Customer Support
TelephoneFor urgent issues use on of the telephone numbers listed at URL http://www.emc.com/support/rsa/contact/phone-numbers.htm 
EmailFor non-urgent issues email support@rsa.com
Case
   Management		Case Management is found at URL https://knowledge.rsasecurity.com/scolcms/mysupport.aspx
   (requires access to RSA SecurCare Online)

Attachments

    Outcomes