000029179 - Unlink the identity source if it is linked to the system error when deleting an unlinked external identity source in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Jan 8, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029179
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueA super admin is unable to delete the external identity source no longer used in the deployment. THe following error is seen when deleting external identity source from the primary Operations Console (Deployment Configuration > Identity Sources > Manage Existing.  Click the identity source you want to delete and from the context menu, click Delete):
 
There was a problem processing your request. To delete an identity source, you must do the following:


  • Unlink the identity source if it is linked to the system
  • Schedule the 'Identity Sources Cleanup Job' batch job, and confirm that the job ran successfully.

(This job removes identity source references from the internal database.)


The following error is in the /opt/rsa/am/server/logs/imsOCTrace.log:

@@@2014-12-04 09:22:35,909, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'],
(EJBRemoteTargetBase.java:178), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, rsa01.staff.xyz.com,,,,
Exception during command execution.
com.rsa.command.exception.ObjectInUseException: Cannot delete an identity source with registered users and groups
                at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
                at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:464)
                at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:272)
                at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_1211_WLStub.executeCommand
(Unknown Source)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:597)
                at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84)
                at com.sun.proxy.$Proxy72.executeCommand(Unknown Source)
                at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:251)
                at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:1)
                at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
                at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
                at weblogic.security.Security.runAs(Security.java:61)
                at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:51)
                at com.rsa.command.EJBRemoteTargetBase.executeCommand(EJBRemoteTargetBase.java:167)
                at com.rsa.command.TargetableCommand.execute(TargetableCommand.java:297)
                at com.rsa.admin.DeleteIdentitySourceCommand.execute(DeleteIdentitySourceCommand.java:122)
                at com.rsa.ims.common.operationsconsole.utils.CommandUtil.executeIMSCommand(CommandUtil.java:178)
                at com.rsa.ims.web.operationsconsole.action.handler.IdentitySourceHandler.delete
(IdentitySourceHandler.java:524)
                at com.rsa.ims.web.operationsconsole.action.IdentitySourceWizardConnectionAction.delete
(IdentitySourceWizardConnectionAction.java:565)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:597)
                at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:266)
                at com.rsa.ui.common.struts.action.RSABaseDispatchAction.execute(RSABaseDispatchAction.java:180)
                at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:413)
                at com.rsa.ui.common.util.RSAWebRequestProcessor.process(RSAWebRequestProcessor.java:220)
                at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1858)
                at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:459)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
                at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:242)
                at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:216)
                at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:132)
                at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:352)
                at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
                at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
                at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                at com.rsa.ui.common.filter.I18NFilter.doFilter(I18NFilter.java:96)
                at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                at com.rsa.ui.common.security.csrf.CSRFFilter.doFilterInternal(CSRFFilter.java:166)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
                at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                at com.rsa.ui.common.filter.UrlValidationFilter.doFilter(UrlValidationFilter.java:133)
                at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                at com.rsa.ims.common.operationsconsole.security.filter.CommonOCIMSSignOnFilter$1.run
(CommonOCIMSSignOnFilter.java:179)
                at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113)
                at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)
                at com.rsa.ims.common.operationsconsole.security.filter.CommonOCIMSSignOnFilter.doFilter
(CommonOCIMSSignOnFilter.java:176)
                at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                at com.rsa.ims.common.operationsconsole.security.filter.CommonOCSignOnFilter.doFilter
(CommonOCSignOnFilter.java:107)
                at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
                at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun
(WebAppServletContext.java:3288)
                at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run
(WebAppServletContext.java:3254)
                at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
                at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
                at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
                at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)
                at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
                at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
                at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1512)
                at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run
(ContainerSupportProviderImpl.java:254)
                at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
                at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)


The super admin already unlinked the identity source from realm before attempting to delete it.
 
CauseThe super admin cannot delete an identity source because users and groups have registered references in the RSA Authentication Manager database. The existing identity sources may have been migrated from an RSA Authentication Manager 7.1 deployment that are no longer needed.
ResolutionRun the cleanup after either adding a new identity source or editing the existing one to use a User Base Distinguished Name (DN) in the same AD tree where the Organisational Unit (OU) has no reference to objects with an objectClass of 'user'.
  1. For example, the existing identity source is similar to what is shown here:

Identity Source: Junior Staff


User Base DN:   OU=Junior Users,DC=Staff,DC=XYZ,DC=COM


Group Base DN: OU=Junior Groups,DC=Staff,DC=XYZ,DC=COM


  1. Create a new identity source named TestRemove, with the User Bas DN and Group Base DN as shown:

User Base DN:   OU=Empty Users,DC=Staff,DC=XYZ,DC=COM
Group Base DN: OU=Empty Groups,DC=Staff,DC=XYZ,DC=COM


  1. Link TestRemove in the Security Console under Setup > Identity Sources > Link Identity Source to System.
  2. Navigate to Setup > Identity Sources > Cleanup Unresolvable Users and run the job to cleanup unresolvable users against the identity source configured with the grace period set to Disabled.
  3. After the cleanup runs, confirm that it succeeded
  4. Unlink the identity source.
  5. Attempt to delete the identity source from the Operations Console (Deployment Configuration > Identity Sources > Manage Existing.  Click the identity source you want to delete and from the context menu, click Delete).  This should remove the problematic identity source from use within the system.
  6. Repeat the steps above for any other external Identity Source you wish to delete.

Attachments

    Outcomes