000029179 - Getting an error when deleting external identity source

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029179
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: VMware
Platform (Other): virtual appliance
O/S Version: ESXi 5.0
Product Name: RSA-0010010
Product Description: RSA Authentication Manager
IssueSuper admin is unable to delete the external identity source no longer used in the deployment.
Getting error below when deleting external identity source from Primary Operations Console (Click Deployment Configuration > Identity Sources > Manage Existing > Click the identity source you want to delete > From the context menu, click Delete)
"There was a problem processing your request.
To delete an identity source, you must do the following:
- Unlink the identity source if it is linked to the system
- Schedule the 'Identity Sources Cleanup Job' batch job, and confirm that the job ran successfully. (This job removes identity source references from the internal database.)"
imsOCTrace.log produced this error:
@@@2014-12-04 09:22:35,909, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (EJBRemoteTargetBase.java:178), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, rsa01.staff.xyz.com,,,,Exception during command execution.
   com.rsa.command.exception.ObjectInUseException: Cannot delete an identity source with registered users and groups
                   at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
                   at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:464)
                   at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:272)
                   at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_1211_WLStub.executeCommand(Unknown Source)
                   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                   at java.lang.reflect.Method.invoke(Method.java:597)
                   at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84)
                   at com.sun.proxy.$Proxy72.executeCommand(Unknown Source)
                   at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:251)
                   at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:1)
                   at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
                   at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
                   at weblogic.security.Security.runAs(Security.java:61)
                   at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:51)
                   at com.rsa.command.EJBRemoteTargetBase.executeCommand(EJBRemoteTargetBase.java:167)
                   at com.rsa.command.TargetableCommand.execute(TargetableCommand.java:297)
                   at com.rsa.admin.DeleteIdentitySourceCommand.execute(DeleteIdentitySourceCommand.java:122)
                   at com.rsa.ims.common.operationsconsole.utils.CommandUtil.executeIMSCommand(CommandUtil.java:178)
                   at com.rsa.ims.web.operationsconsole.action.handler.IdentitySourceHandler.delete(IdentitySourceHandler.java:524)
                   at com.rsa.ims.web.operationsconsole.action.IdentitySourceWizardConnectionAction.delete(IdentitySourceWizardConnectionAction.java:565)
                   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                   at java.lang.reflect.Method.invoke(Method.java:597)
                   at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:266)
                   at com.rsa.ui.common.struts.action.RSABaseDispatchAction.execute(RSABaseDispatchAction.java:180)
                   at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:413)
                   at com.rsa.ui.common.util.RSAWebRequestProcessor.process(RSAWebRequestProcessor.java:220)
                   at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1858)
                   at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:459)
                   at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
                   at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
                   at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:242)
                   at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:216)
                   at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:132)
                   at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:352)
                   at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
                   at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
                   at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                   at com.rsa.ui.common.filter.I18NFilter.doFilter(I18NFilter.java:96)
                   at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                   at com.rsa.ui.common.security.csrf.CSRFFilter.doFilterInternal(CSRFFilter.java:166)
                   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
                   at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                   at com.rsa.ui.common.filter.UrlValidationFilter.doFilter(UrlValidationFilter.java:133)
                   at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                   at com.rsa.ims.common.operationsconsole.security.filter.CommonOCIMSSignOnFilter$1.run(CommonOCIMSSignOnFilter.java:179)
                   at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113)
                   at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)
                   at com.rsa.ims.common.operationsconsole.security.filter.CommonOCIMSSignOnFilter.doFilter(CommonOCIMSSignOnFilter.java:176)
                   at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                   at com.rsa.ims.common.operationsconsole.security.filter.CommonOCSignOnFilter.doFilter(CommonOCSignOnFilter.java:107)
                   at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                   at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3288)
                   at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)
                   at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
                   at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
                   at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
                   at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)
                   at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
                   at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
                   at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1512)
                   at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
                   at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
                   at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

Super Admin already unlinked the Identity Source from Realm before attempting to delete it.
 
CauseThe Super Admin cannot delete an identity source because users and groups have registered references in the authentication manager database.
The existing identity sources may have been migrated from an RSA Authentication Manager 7.1 deployment that are no longer needed.
ResolutionRun the Cleanup after either adding a new Identity Source or editing the existing one to use a User Base Distinguished Name (DN) in the same AD tree where the Organisational Unit (OU) has no reference to objects with an objectClass of 'user'.
For example, the existing identity source is similar to that below,

Identity Source: Junior Staff

User Base DN:   OU=Junior Users,DC=Staff,DC=XYZ,DC=COM

Group Base DN: OU=Junior Groups,DC=Staff,DC=XYZ,DC=COM

 

Create a new identity source: TestRemove

User Base DN:   OU=Empty Users,DC=Staff,DC=XYZ,DC=COM

Group Base DN: OU=Empty Groups,DC=Staff,DC=XYZ,DC=COM

 

Link TestRemove in Security Console > Setup > Identity Sources > Link Identity Source to System


Run cleanup unresolvable users against the Identity Source configured with disabled Grace Period (Security Console > Setup > Identity Sources > Cleanup Unresolvable Users)

After the cleanup runs, confirm that it succeeded

Unlink the identity source

 

Attempt to delete the identity source from Operations Console (Click Deployment Configuration > Identity Sources > Manage Existing > Click the identity source you want to delete > From the context menu, click Delete)

This should remove the problematic Identity Source from use within the system.

Repeat above for another external Identity Source. 

Attachments

    Outcomes