000029972 - AxM - ClassCastException causes critical aserver failure

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029972
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
Platform: Linux
Platform (Other): null
O/S Version: Red Hat Enterprise Linux 5.x
Product Name: null
Product Description: null
Issue

Users are unable to authenticate to RSA Access Manager.
The RSA Access Manager Agent log file at normal log level logs the following critical log message:
2015-03-31 10:47:02 -0700 - [4924] - <Critical> - Critical error: CT_AUTH_UNKNOWN_ERROR


The RSA Access Mangager Agent log file at DEBUG log level shows the following:
2015-03-31 10:47:02 -0700 - [4924] - <Info> - Result map: EXCEPTION_TYPE\nSERVER_ERROR
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Authentication return code: 100
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Status is 100 (CT_AUTH_UNKNOWN_ERROR)
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Previous user: (null), current user: user2
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Previous status is CT_SESSION_ACTIVE
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Attempt multiple authentication is false and status is not CT_SESSION_ACTIVE, breaking
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Status is not CT_CHECK_ACCESS_REQUIRED
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Resetting status to: 100
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Authenticated bit from table: 0
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - URI: /cleartrust/ct_logon.asp, User: user2
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Status is: 100
2015-03-31 10:47:02 -0700 - [4924] - <Critical> - Critical error: CT_AUTH_UNKNOWN_ERROR
The RSA Access Manager aserver.out file in DEBUG mode shows the following exception:
15:28:15:598 [*] [pool-8-thread-1] -   postalcode
15:28:15:598 [*] [pool-8-thread-1] -   postalcode
15:28:15.599 ldc=8 op=26 SearchRequest {baseObject=ou=People, dc=corp, dc=rsasecurity, scope=1, derefAliases=0,sizeLimit=1000, timeLimit=0, attrsOnly=false, filter=(&(objectclass=inetOrgPerson)(uid=user1)), attributes=uid+userpassword+ctscAccountStartDate+ctscAccountEndDate+ctscPasswordCreationDate+ctscPasswordExpirationDate+ctscUserKeywords+ctscUserKeywords+ctscUserKeywords+ctscFailedLoginCount+ctscLockoutExpirationDate+ctscLastResetDate+mail+givenname+sn+postalcode+postalcode}
15:28:15.600 ldc=8 op=26 SearchResponse {entry='uid=user1,ou=People,dc=corp,dc=rsasecurity', attributes='LDAPAttribute {type='uid', values='user1'},LDAPAttribute {type='userpassword', values='{SSHA}EvtMBX/5petUzDOCXc0CoG/bvmDgfWucHjDlkw=='},LDAPAttribute {type='ctscAccountStartDate', values='20130328230104Z'},LDAPAttribute {type='ctscAccountEndDate', values='20220328230100Z'},LDAPAttribute {type='ctscPasswordCreationDate', values='20130328230140Z'},LDAPAttribute {type='ctscPasswordExpirationDate', values='20130527230140Z'},LDAPAttribute {type='ctscUserKeywords', values='NotExpired,PasswordPolicy'},LDAPAttribute {type='ctscLockoutExpirationDate', values='20130328230140Z'},LDAPAttribute {type='ctscLastResetDate', values='20130328230140Z'},LDAPAttribute {type='mail', values='user1@supportlab7.com'},LDAPAttribute {type='sn', values='user1'},LDAPAttribute {type='postalcode', values='User1Value'}'}
15:28:15.600 ldc=8 op=26 SearchResult {resultCode=0}
15:28:15:607 [*] [pool-8-thread-1] - 
***************************
15:28:15:607 [*] [pool-8-thread-1] - RPCManager.invokeLocalProcedure(): Exception in myDomainMapper.convertNodeToObject()
15:28:15:607 [*] [pool-8-thread-1] - java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
    at sirrus.da.auth.Entity.initSpecialPropertyMaps(Entity.java:962)
    at sirrus.da.ldap.auth.LDAPEntity.init(LDAPEntity.java:134)
    at sirrus.da.ldap.auth.LDAPEntity.<init>(LDAPEntity.java:116)
    at sirrus.da.ldap.auth.LDAPUser.<init>(LDAPUser.java:86)
    at sirrus.da.ldap.auth.factory.LDAPEntityFactory.getUserByName_aroundBody2(LDAPEntityFactory.java:249)
    at sirrus.da.ldap.auth.factory.LDAPEntityFactory$AjcClosure3.run(LDAPEntityFactory.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtDALLayer(LogExecutionTimeAspect.java:66)
    at sirrus.da.ldap.auth.factory.LDAPEntityFactory.getUserByName(LDAPEntityFactory.java:209)
    at sirrus.da.auth.cache.factory.CachingEntityFactory.getUserByName_aroundBody2(CachingEntityFactory.java:274)
    at sirrus.da.auth.cache.factory.CachingEntityFactory$AjcClosure3.run(CachingEntityFactory.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtDALLayer(LogExecutionTimeAspect.java:66)
    at sirrus.da.auth.cache.factory.CachingEntityFactory.getUserByName(CachingEntityFactory.java:203)
    at sirrus.da.auth.Entity.getUserByName(Entity.java:88)
    at sirrus.authserver.AuthorizationAPI.getEntityByMap(AuthorizationAPI.java:3795)
    at sirrus.authserver.AuthorizationAPI.authenticate(AuthorizationAPI.java:762)
    at sirrus.authserver.DebugAuthorizationAPI.authenticate(DebugAuthorizationAPI.java:134)
    at sirrus.authserver.DebugAuthorizationAPI.authenticate(DebugAuthorizationAPI.java:122)
    at sirrus.authserver.TCPServerAPIAdaptor.authenticate_aroundBody2(TCPServerAPIAdaptor.java:94)
    at sirrus.authserver.TCPServerAPIAdaptor$AjcClosure3.run(TCPServerAPIAdaptor.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtRuntimeAPI(LogExecutionTimeAspect.java:38)
    at sirrus.authserver.TCPServerAPIAdaptor.authenticate(TCPServerAPIAdaptor.java:88)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at sirrus.util.io.rpc.FunctionMapping.createObjectFromFunctionNode(FunctionMapping.java:127)
    at sirrus.util.io.rpc.BasicDomainMapper$8.map(BasicDomainMapper.java:255)
    at sirrus.util.io.rpc.NodeToObjectMapper.map(NodeToObjectMapper.java:45)
    at sirrus.util.io.rpc.BasicDomainMapper.convertFunctionNodeToObject(BasicDomainMapper.java:244)
    at sirrus.util.io.rpc.fope.FunctionNode.convertToObject(FunctionNode.java:67)
    at sirrus.util.io.rpc.BasicDomainMapper.convertNodeToObject(BasicDomainMapper.java:225)
    at sirrus.util.io.rpc.RPCManager.invokeLocalProcedure_aroundBody0(RPCManager.java:146)
    at sirrus.util.io.rpc.RPCManager$AjcClosure1.run(RPCManager.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtMUXLayer(LogExecutionTimeAspect.java:111)
    at sirrus.util.io.rpc.RPCManager.invokeLocalProcedure(RPCManager.java:129)
    at sirrus.authserver.MuxRequestThreadPool$MuxWorkerTask.call(MuxRequestThreadPool.java:387)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
    at java.util.concurrent.FutureTask.run(FutureTask.java:166)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:722)
15:28:15:611 [*] [pool-8-thread-1] - ***************************
 

CauseThis error occurs if more than one user property is defined with the same user property name.  Only one instance of a user property name may exist. 
This issue may occur due to a feature change with regards to Administrative Group permissions introduced in Access Manager 6.2. Prior to 6.2 user properties were considered global objects that could be manipulated by any Administrative group. When adding a new user property we checked to see if the user property already existed and prevented any attempts to create duplicateuser property names. In 6.2 we introduced a security change so that user properties were assigned to a specific Administrative Group and only Administrators of that group have permission to create, manipulate and if the user property is marked Private to view user properties in that group. What was not anticipated with this change was that there still was a requirement to do a check for the existence of the same user property in other administrative groups when creating user properties to prevent duplicate user property names from being defined. In the current code because an administrator does not have permission to view other user properties, it allows that administrator to create a duplicate user property with the same name.
ResolutionThis issue is will be fixed in a hotfix for RSA Access Manager 6.2.3 (SP3)   Contact RSA Customer Support and request the latest cumulative hotfix. 
6.2.3 (SP3) allows separate user properties to be defined with the same name for administrative purposes, but at runtime the user property will be treated as a single user property. 
Workaround
  1. Create user properties as Public rather than Private.   Public properties are viewable by other administrators and it is not possible to create a user property with the same name as an existing public user property.
  2. Use a SuperUser Administrative User to create user properties.   The SuperUser can still create user properties visible only to specific administrative groups, but it will always check for the any existing of any public or private user properties with the same name before doing so.
  3. Create Administrative Roles to restrict creation of user properties to administrators in a particular administrative group, or to superusers for example the Default Administrative Group.

Attachments

    Outcomes