000023901 - Access Denied when trying to log in to KMS administration panel

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023901
Applies ToRSA Key Manager server 2.0
Oracle Database
Microsoft SQL Server
IssueLog in to KMS Administration Panel to enter the master passphrase on restarting KMS
On entering the administrative credentials, the user is denied access
Access Denied when trying to log in to KMS administration panel
In the ClearTrust agent log and the authorization server debug log, the password is mentioned as expired.
CauseThe password has expired in the datastore.
Resolution

In the normal case, the user should be able to reset the password in ClearTrust's Entitlements Manager (admingui).  However, if that option is not available, the password expiration dates can be manually adjusted directly in the datastore.

In Microsoft SQL Server, the password record is in the table CT.PASSWORD; in Oracle, the password record is in CT_OWNER.PASSWORD.  In both cases, the relevant field is EXPIRATION_DATE.  This can be manually adjusted forward to allow the user to log in.  Note that if the password has been expired because the lifetime (as calculated by the current date less the date in the PASSWORD_CREATION_DATE field) is greater than the password policy's lifetime, you must also adjust PASSWORD_CREATION_DATE forward to avoid the password being expired for policy reasons, rather than explicitly.

Notes! By manually adjusting dates directly in the password table, the various fields can become unsynchronized.  At the first opportunity, log in to the Entitlements Manager and reset the password there to correctly and completely write the new password and affiliated data to the datastore.
Here's an example on how to update password expiry dates in Oracle db:

Once connected to the db via sqlplus using CT_OWNER credentials, use the following SQL statements to update dates:

1. List all records in PASSWORD table including account names from USERS table:

SELECT USERS.NAME, PASSWORD.USER_ID, PASSWORD.PASSWORD_CREATION_DATE, PASSWORD.EXPIRATION_DATE FROM USERS, PASSWORD WHERE PASSWORD.USER_ID = USERS.ID;

2. Update password creation date and password expiry date for, say, a user with user_id = 4:

UPDATE PASSWORD SET PASSWORD_CREATION_DATE = '01-May-2008', EXPIRATION_DATE = '29-May-2008' WHERE USER_ID = 4;

3. Commit the changes to db:

COMMIT;
Legacy Article IDa35922

Attachments

    Outcomes