000028968 - No identity source available in RSA Authentication Manager 8.1 patch 5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Aug 26, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000028968
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 patch 5 
IssueWhen logged into the Security Console and selecting Settings > Self Service Settings and then selecting Identity Sources the following error displays:

There was a problem processing your request.
No Identity Source is available


Identity sources are configured and users are seen in the Security Console.
Users can log onto self-service console page and request a token.
Admins can assign tokens and see both internal and external identity sources.
CauseIn the Security Console, set logging to verbose

Review the /opt/rsa/am/....imsTrace.log fopr messages such as:
2014-10-21 13:10:40,617, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (AbstractPropertiesSynchronizer.java:695), trace.com.rsa.ims.security.keymanager.sys.AbstractPropertiesSynchronizer, WARN, den-prod-auth-01.quickplay.local,,,,Database information not found
com.rsa.common.DataNotFoundException: No data for 0000-Global-0000.ims.sso.filter.properties found

The reason for this error is that there is a difference in the enrollment of identity sources is different from Authentication Manager  7.1 to Authentication Manager 8.0/8.1; that is, only internal database users are enrolled in Authentication Manager 8.0/8.1. Migration from 7.1 to 8.0/8.1 has introduced the above issue. The root cause of the defect is how the migration is handled for user enrollment.
ResolutionA fix for this issue is scheduled for Authentication Manager 8.1 patch 6 or patch 7.
  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Navigate to /opt/rsa/am/utils.
  2. Run the command rsautil manage-secrets -a get com.rsa.db.dba.password to obtain the com.rsa.db.dba.password.  You will need to provide the Operations Console user name and password to run the command.  Record the value for the password returned.

rsaadmin@am81p:~> cd /opt/rsa/am/utils/
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
com.rsa.db.dba.password: <output of the com.rsa.db.dba.password for your instance>

  1. Navigate to /opt/rsa/am/pgsql/bin:

cd /opt/rsa/am/pgsql/bin

  1. Run the following commands:

./psql -h localhost -p 7050 -d db -U rsa_dba -c 'select * from RSA_REP.UCM_IDENTITY_SOURCES;' -o /tmp/idsources.txt
./psql -h localhost -p 7050 -d db -U rsa_dba -c 'select id, name, src_type, internal_store, runtime_only FROM RSA_REP.IMS_IDENTITY_SOURCE;' -o /tmp/idnames.txt

  1. Look in for the identitysource_id in idsources.txt and the runtime_only in the idnames,txt file, the values should be the same, e.g. 24205f6d0465a8c0027cf59121f24159,  This value will be used in the workaround update. 
  2. Since this update uses single ticks, run it from SQL instead of with -c:

./psql -h localhost -p 7050 -d db -U rsa_dba -o /tmp/updateIS.txt
Password for user rsa_dba: <enter the password from step 4 above>
 db-# UPDATE RSA_REP.UCM_IDENTITY_SOURCES SET available_status=0 WHERE identitysource_id='24205f6d0465a8c0027cf59121f24159';
 db-# \q

The above query should resolve the issue. Make sure after running the query, the internal database is added for enrollment if required from Self-Service SettingsIdentity Sources.
NotesSame symptom as Jira AM-27838/AM-26825 which were fixed in patch 1