000013054 - Authentication Manager Self-Service Console showing error This token type is not allowed in UCM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013054
Applies ToRSA Authentication Manager 8.x
RSA Authentication Manager 7.x
RSA SecurID Appliance 3.0.x
IssueThe error message "This-token-type-is-not-allowed-in-UCM"shows in the Self-Service Console when requesting a token.  
The hostname_server.log located in 
C:\Program Files\RSA Security\RSA Authentication Manager\server\logs (Authentication Manager 7.1 on Microsoft Windows 2003 Server or Microsoft Windows 2008 Server), /usr/local/RSASecurity/RSAAuthenticationManager/server/logs (Authentication Manager 7.1 on Solaris, Red Hat or RSA SecurID Appliance 3.0) or /opt/rsa/am/server/logs (Authentication Manager 8.x) will show the following error while creating a self-service request for enrollment with hardware token
com.rsa.command.exception.InvalidArgumentException: This token type is not allowed in UCM
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:217)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:338)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:252)
at com.rsa.command.CommandServer_qt4u4w_EOImpl_1000_WLStub.executeFrameworkManagedTx(Unknown Source)
at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:219)
at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:168)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.security.Security.runAs(Security.java:61)
CauseBefore using the self-service-request samples which come with the RSA Authentication Manager 7.1 SDK (available at http://edelivery.rsasecurity.com/docs/rsa_securid/rsa_auth_mgr/71/am7.1_sdk.zip) you must first configure the desired setting for how your self-service system will work.  These settings are found in the Security Console under Setup>Component Configuration>Credential Manager
 * * * * * * * * * * * * * * * *

This error can also happen when not using the SDK.  A customer can set up Credential Manager > Manage Tokens to allow users to request one type of token (for example, Desktop PC 4.0) but when the user goes to the Self-Service Console he selects Generic AES.  Since this is not an approved token type, the error message "This token type is not allowed in UCM."  To resolve the issue simply add the correct token type.
ResolutionThis specific error is cause because the sample code generates a request for a hardware token but the self-service system (Credential Manager) has not been configured to enable hardware tokens to be requested.  This option is handled on the Manage Tokens link under the Token Provisioning section and the option to allow users to "
WorkaroundRunning the SDK example code CreateSelfServiceRequest.class
Legacy Article IDa50271